With security breaches proliferating in recent years, it’s more important than ever to protect your users and applications by implementing Two-Factor Authentication (2FA). 2FA is a subset of multi-factor authentication (MFA) which was developed to protect accounts and devices by adding security verification to the login process.
For a quick refresher, 2FA means that in addition to a password, a service prompts users for a second piece of information to authenticate them. Strictly speaking MFA is considered distinct from 2FA in that it requires at least three authentication factors.
Specifically, 2FA is a method to confirm users’ identities using two of the following:
- Something they know (password, pin)
- Something they own (smart card, hardware token, mobile device)
- Something they have/are (fingerprints, voice)
While not perfect, 2FA remains essential to web security as a cost-effective means to preempt many threats, the most notable of which is stolen passwords. A password alone is no longer sufficient to give bad actors access to an unwitting user’s account once authentication by a second factor is required. It instantly lowers the risk to end users if their password is compromised.
The staggering reality is that:
- 90% of passwords can be hacked in an alarmingly short time.[^1]
- A majority (⅔) of people keep using the same password on all their accounts.[^2]
- Billions of passwords can be tested every second in brute force attacks.[^3]
The rapid increase in the sophistication of data breaches in the past year makes the case for implementing 2FA even more compelling. According to a recent report released by Microsoft:
“Nation-state actors are engaging in new reconnaissance techniques that increase their chances of compromising high-value targets, criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services, and attackers have developed new ways to scour the internet for systems vulnerable to ransomware. In addition to attacks becoming more sophisticated, threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices... Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.”
Types of 2FA:
As the most popular form of authentication, this method involves using software tokens to generate time-based, one-time passcodes (aka TOTP). Smartphone authenticator apps used in conjunction with an application prompts users to enter these temporary passcodes that typically expire in less than 60 seconds. This preempts hacker interception which is the main vulnerability of SMS delivery in comparison to authenticator apps.
Perhaps the oldest form of 2FA, hardware tokens are small physical devices that produce a new numeric passcode every minute or 30 seconds. Users enter the displayed passcode into a site or app after login. While it’s arguable that these devices are more vulnerable to being hacked and getting lost/misplaced, the recent security breach at Twitter impelled the company to implement phishing-resistant security keys to its employees with access to customer data.
This method is considered the least secure to authenticate users because of its lack of encryption by default and its susceptibility to interception.[^4] After login, a site sends the user a one-time passcode via text message or automated phone call whereupon that passcode must be entered to gain access.
This method of authentication utilizes the user as the token (i.e. fingerprints, retinal recognition, face recognition). While still in its early stages, it’s a promising innovation to protect user accounts until hackers figure out how to exploit it.
With the recent pandemic-induced explosion of online video conferencing, Zoom finally rolled out 2FA for its platform to secure customer accounts. Users can enter a one-time passcode from an authenticator app, text message, or phone call after enabling 2FA. This blocks potential bad actors from controlling accounts through hacked credentials.
Elon Musk tweeted back in August that 2FA was coming and would be made available via SMS and authenticator apps. Turns out his promise just became a reality and now 2FA on Tesla customer accounts can be enabled as of October 2020.
Integrating 2FA with Drupal
We recently implemented 2FA for one of our clients on a Drupal 8 multisite platform which serves a number of sites that share a common set of configuration files. Given that a single codebase is being shared by multiple digital properties, it was a good, juicy challenge to figure out how to manage the integrity of different 2FA API keys per site while utilizing the same 2FA configuration across the platform. In essence, we took advantage of configuration overrides in the different sites’ settings files.
The individual sites’ configurations get exported to a common sync directory which we commit to version control. The deltas in 2FA configuration between sites are all captured in individual settings overrides and are committed as well. This makes maintaining separate or split configuration per site unnecessary. Needless to say, we and our clients all sleep better at night.
Making the Case to Stakeholders
As a site owner, product manager, or developer, prioritizing 2FA can sometimes be challenging. It may seem to the decision-makers like there is little to be gained from implementing this sort of security measure. After all, it won’t necessarily result in a direct revenue stream. If you’re in that boat, we’ve got you covered. Here are some articles that we believe make a solid case for prioritizing 2FA:
- Phishing attack spoofs IRS COVID-19 relief to steal personal data (TechRepublic)
- How Two-Factor Authentication Keeps Your Accounts Safe (Wired)
- Microsoft Digital Defense Report (Microsoft)
- Cybersecurity 101: Protect your privacy from hackers, spies, and the government (ZDNet)
- Tesla accounts now support two-factor authentication (TheVerge)
- Twitter's changes since the June attack include requiring security keys (Engadget)
- 61% of business don’t apply basic password security techniques, here’s how to (Security)
We at Chromatic are avid supporters of keeping ourselves and our clients as safe as possible given the unprecedented rise of malicious assaults in the digital world. It’s only bound to get worse and increasingly sophisticated, so go forth and enable 2FA everywhere.
Here’s a handy site that lists popular websites, web apps, and services detailing what, if any, 2FA features they support:
Some more articles to get up to speed on 2FA:
- Two-factor authentication: A cheat sheet (TechRepublic)
- What is 2FA? Two-Factor Authentication explained (TechRadar)
- Explained: Two-Factor vs. Multi-Factor Authentication (The Security Ledger)
- How to set up two-factor authentication on all your online accounts (TheVerge)
- Enable 2FA on Zoom's Mobile and Desktop Apps Right Now (Gizmodo)
[^1]: 20 Hours, $18, and 11 Million Passwords Cracked [^2]: We beg, implore and beseech thee. Stop reusing the same damn password everywhere [^3]: Bots Can Guess Your Password at the Rate of Billions of Guesses per Second. Are Your Accounts Secure? [^4]: Do you use SMS for two-factor authentication? Here's why you shouldn't