Lesson 2: Online Safety and Avoiding Scams – Two-Factor Authentication

What is a Two Factor Authentication?

Two-factor authentication (2FA), also known as two-step verification or dual-factor authentication, is a two-step authentication factors to validate users. Two-factor authentication secures user credentials and resources. It’s usually used to avoid data breaches and personal data loss.

Two-factor authentication is more secure than single-factor authentication. Single Factor Authentication uses one authentication element, usually a password or passcode. Two-factor authentication uses a password plus a separate factor, generally a security token or biometric element like a fingerprint or face scan.

How does two-factor authentication work?
Two-factor authentication is enabled differently by each application or vendor. However, two-factor authentication uses the same multistep process:

1. Application or website prompts user to log in. Entering login and password is essential.
2. The site’s server matches and identifies the user.
3. For password-free procedures, the website produces a user-specific security key. The site server checks the key processed by the authentication mechanism.
4. The site requests the second login. This stage requires the user to confirm they have a biometric feature, security token, credit card, ID card, smartphone, or other mobile device. Inherence or possession.
5. A one-time passcode generated in Step 4 may be required.
   User authentication and website access are given when both factors are provided.

Mobile two-factor authentication
Smartphones provide many 2FA options, letting you to choose. Some gadgets can recognize fingerprints, utilize the camera for face or iris scanning, or recognize voices via the microphone. GPS-enabled smartphones add location verification. However, out-of-band authentication can employ voice or SMS.

Apple iOS, Google Android, and Windows 10 offer 2FA applications that allow phones to meet the possession factor. Authenticator applications replace text, voice, and email verification codes. Google Authenticator-enabled websites need users to enter their username and password as their knowledge factor. Enter a six-digit number.

An authenticator creates the number instead of waiting a few seconds for a text. These figures vary by login and change every 30 seconds. Entering the right number completes the verification procedure and proves device possession.

Authentication standards

The following open standard authentication protocols underpin 2FA authentication tools:

• FIDO: This open, public key cryptography standard was created by the FIDO Alliance. Instead of passwords, it uses phishing-resistant passkeys.
• OAuth: OAuth is an open standard, secures system resources like files and apps. It authorizes APIs. Mobile apps aren’t supported.
• OpenID Connect: OIDC, developed by the OpenID Foundation, adds authentication and identity management features to OAuth 2.0. Mobile apps, APIs, and browser-based apps are supported.
• SAML security assertions: SAML, developed by the Organization for the Advancement of Structured Information Standards, is an open standard for browser-based single sign-on applications like websites.

Push notifications for 2FA
A push notification is considered as a password less authentication that verifies a user by sending notifications straight to a secure app on their devices. The user may check authentication credentials and accept or refuse access with one tap. When the user confirms the authentication request, the server logs them into the web app.

Push notifications verify the user’s ownership of the authentication system-registered device, commonly a mobile smartphone. Push notifications are affected if an attacker penetrates the device. Push notifications prevent unauthorized access, social engineering, and man-in-the-middle attacks.

Push notifications are safer than other authentication methods, but they pose security issues. Push notification users may mistakenly authorize a false authentication request since they are used to hitting OK.