Two-Factor Authentication: A Deep Dive

This month we’ve highlighted the importance of using two-factor authentication to ensure you remain safe online.

But how do these safety measures actually work?

In our final Cybersecurity Awareness Month post, our security team digs into the technical details behind one-time passwords, two-factor authentication, hardware security keys, and what the future holds for online security.

Passwords have certain unavoidable shortcomings that, while acceptable years ago, are now exploitable by attackers on the web today. That’s why it’s important you use two-factor authentication, often called 2FA, to protect your accounts.

While all types of 2FA are more secure than using just a password, some do a better job of keeping your credentials safe. In this article, we’ll break down the three most common types of 2FA methods from least to most secure.

One-Time Passwords (OTPs)

OTPs are by far the most common 2FA method due to their ease of use. The most common iteration of OTPs is a random password (only briefly valid) sent via SMS, email, or provided through a mobile application that you must use in addition to a password.

The downfall of OTPs is that they are still passwords and therefore have the same weaknesses. If an attacker gains access to one of these codes, no matter how briefly, then your account could be at risk. Despite this risk, you should still use this method when available — in 2019, Google said that SMS-based 2FA helped block 96% of phishing attacks.

Push-Based 2FA

Push-based two-factor authentication is less common but more secure than OTPs because there’s no password involved. In a push-based authentication flow, the website you’re logging in to sends a push notification to a phone with a request to authenticate. This method can be facilitated by Security as a Service (SaaS) providers like Duo or Okta, and is often used for enterprise authentication.

The largest security concern for push-based 2FA is accepting an impostrous push, where an attacker has already stolen your password and initiates a push notification which you erroneously accept.

Hardware Security Tokens

Earlier this month, we advised you to use hardware security keys everywhere you can to enhance your online security.

The safest way to implement 2FA is with a Universal Two-Factor security token, or U2F. When employing this type of hardware security token, a website requests a U2F authentication. You are then prompted to connect the security token to your computer using USB, Bluetooth, or sometimes via Near Field Communication (NFC), and the token cryptographically signs the site’s request.

Most importantly, this method does not use passwords.

Using a hardware key provides an extra level of security as you must physically interact with the token by either pressing it or tapping it against your laptop or mobile device. This means there’s little to no chance of incorrectly approving a request since the key is speaking directly to the website through your device.

WebAuthn: Leaving Passwords Behind

The shortcomings among OTPs, push-based 2FA, and hardware security tokens is that they all just serve as a cover for the main problem: passwords.

WebAuthn is a standalone authentication method that leaves passwords in the past: the end goal is to replace multi-factor authentication with a strong and cryptographic single factor authentication. Simply, WebAuthn is a browser application programming interface that allows you to register and prove ownership of your credentials for a given website.

Many devices capable of either verifying you biometrically or with a PIN are also capable of handling WebAuthn requests. Laptops that support Windows Hello, many Android phones, and most recently released iOS devices are all capable of using WebAuthn because the same hardware used for local authentication can be applied.

Gemini gives everyone the ability to protect their accounts using the best security standards available. While you will still need a Gemini password for now, you can start using WebAuthn with either a hardware security token or with Windows Hello and TouchID supported laptops.

In the meantime, we have partnered with hardware security key maker Yubico to promote staying safe online. Use the promo code YK20E-GEMINI20 for $20 off any two YubiKey Series 5 keys at checkout on the Yubico website. The promotion ends November 30, 2020, 11:59pm Pacific.

As Cybersecurity Awareness Month comes to a close, we urge you to take this year’s theme to heart: Do Your Part. #BeCyberSmart!

Onward and Upward!

Team Gemini