This month we have highlighted the importance of using two-factor authentication to ensure you remain safe online.
But how do these security measures really work?
In our last Cybersecurity Awareness Month post, our security team digs into the technical details behind one-time passwords, two-factor authentication, hardware security keys, and what the future holds for online security .
Passwords have some unavoidable flaws that, while acceptable years ago, can now be exploited by internet attackers today. That’s why it’s important that you use two-factor authentication, often called 2FA, to protect your accounts.
While all types of 2FA are safer than just using a password, some do a better job of keeping your references safe. In this article, we will analyze the three most common types of 2FA methods from least to safest.
One-Time Passwords (OTPs)
OTPs are by far the most common 2FA method because they are easy to use. The most common iteration of OTPs is a random password (only valid briefly) sent via SMS, email, or delivered via a mobile application that you must use in addition to a password.
The downside of OTP is that they are still passwords and therefore have the same vulnerabilities. If an attacker accesses one of these codes, no matter how short, then your account could be at risk. Despite this risk, you should continue to use this method when available – in 2019, Google said that SMS-based 2FA helped prevent 96% of phishing attacks.
Two push-based authentication is less common but more secure than OTPs because there is no password attached. In a push-based authentication stream, the website you log in to sends a push notification to a phone with a request for authentication. This approach can be facilitated by Security as a Service (SaaS) providers like Duo or Okta, and is often used for enterprise authentication.
The biggest security concern for push-based 2FA is receiving an irresistible push, where an attacker has already stolen your password and initiates a push notification that you receive in error.
Hardware Security Tickets
Earlier this month, we advised you to use hardware security keys everywhere you can to improve your online security.
The safest way to operate 2FA is with a Universal Two-Factor, or U2F, token. When employing this type of hardware security ticket, a website requires U2F authentication. You will then be prompted to connect the security token to your computer using USB, Bluetooth, or sometimes via Near Field Communication (NFC), and the token signifies the website application cryptographically.
Most importantly, this method does not use passwords.
Using a hardware key provides an added level of security as you have to physically interact with the ticket by either pressing or tapping it against your laptop or mobile device. This means that there is little chance of wrongly approving an application as the key is to talk directly to the website through your device.
WebAuthn: Leave passwords behind
The flaws among OTPs, push-based 2FA, and hardware security tokens are that they all serve only as a cover for the main problem: passwords.
WebAuthn is a standalone authentication method that lets past passwords: the end goal is to replace multi-factor authentication with strong single-factor and cryptographic authentication. WebAuthn is simply a browser application programming interface that allows you to register and prove ownership of your references for a particular website.
Many devices that can either check you biometrically or with a PIN can also handle WebAuthn applications. Laptops that support Windows Hello, many Android phones, and most recently released iOS devices can all use WebAuthn because the same hardware used for local authentication can be applied.
Gemini gives everyone the ability to protect their accounts using the best security standards available. Although you will still need a Gemini password for the time being, you can start using WebAuthn with either a hardware security token or with laptops supported by Windows Hello and TouchID.
In the meantime, we have partnered with hardware security maker Yubico to promote staying safe online. Use promo code YK20E-GEMINI20 to get $ 20 off any two YubiKey Series 5 keys at the checkout desk on the Yubico website. The promotion ends November 30, 2020, 11:59 pm Pacific.
As Cybersecurity Awareness Month comes to a close, we urge you to take this year’s theme to heart: Do Your Part. #BeCyberSmart!
Onwards and upwards!