Posted on 2021-09-06
Computer passwords are one of the first methods developed to secure accounts. Computer science historians have said that people first used computer passwords in the 1960s. However, the importance of keeping accounts secure has significantly evolved since then. Unauthorized access to accounts today can have serious detrimental effects. An attacker can harm finances with access to a bank account or damage reputation with a social media account.
With a password being the sole method of authentication, accounts can be susceptible to attacks. Credential stuffing is an attack where attackers automatically try reused or commonly used passwords on accounts. Fake login forms are a phishing attack where a victim is convinced to give over their passwords. 2-factor authentication may help prevent these and other attack methods, preventing unauthorized access to accounts.
The main ways to authenticate are something you know, something you have, and something you are. Passwords are an example of something you know. However, using more than one method of authentication can make an account more secure. Smartphones are something that most people possess, which is why they are the most common second factor of authentication. Additionally, “something you are” commonly uses biometrics like fingerprints or irises.
Using phones, SMS is a popular method of 2-factor authentication. When a user logs into an account with their password, a service will text a one-time code to the user’s phone. The user will then enter the texted code on the website, fulfilling the 2-factor requirement. SMS as a second factor of authentication is good, but there are a few downsides. Some examples include unavailability without phone service or susceptibility to SIM swap attacks.
Many services allow for an app-based authenticator. After configuring, the app will repeatedly generate a six-digit code based on an algorithm. When logging in, a user receives a prompt to enter the current code for that service to fulfill the 2-factor requirement. While this is preferable over SMS authentication, it also has downsides. For instance, if the phone breaks, it may be more difficult to recover an account. Some common authenticator apps are Authy and Google Authenticator.
A less common but very secure method of authentication is a physical key. When logging in, there is a prompt to connect the key to the device. Depending on the key, USB, Bluetooth, or other methods, can be used to connect. One downside to this method is the cost of a key, which can be prohibitive. Another downside is the lack of adoption. Usually, only large tech companies accept physical keys as a method of authentication. There are also sometimes compatibility issues with different browsers and devices. A favorite physical key is YubiKey.
The University of California, Davis has auto-enrolled students in 2-factor authentication. However, other accounts can have 2-factor authentication turned on. Major social media platforms like Facebook, Twitter, and TikTok all have options to turn it on. Most major banking platforms also have 2-factor authentication options.
If cyber security is interesting to you, please consider joining Cyber Security Club at UC Davis. Please visit our About Us page for more information about the club, how to get in contact with us, and how to receive announcements.