With most of use using the Internet for many different applications such as online banking, shopping and social media to name a few, security of our authentication credentials are becoming increasingly important. Many organisations such as Google, Microsoft and Apple are turning to 2-Step Authentication so solve the problem of compromised username / password combinations.
The problem is that many people use the same username and password combinations on multiple sites, click on links in unsolicited emails and download all manner of documents and emails from the Internet. Passwords can and are stolen due to our use of the Internet and we must be more careful. Imagine having your password and personal details stolen while online shopping, only to find later that your online banking has been compromised.
The basis of 2-Step Authentication is the addition of information that only the intended user could possibly know. It could be a pin number, or it could be a physical item such as a smart card and in some cases it could be physical attribute of the user such as a fingerprint or cornea recognition. Some of these things may not always be possible or indeed appropriate for logging on to a website remotely over the Internet, but the addition of secret information to the username and password increases the probability that a genuine user is logging in.
Some secure authentication systems often used by financial institutions use an electronic token. Probably the most common of these used a time-based token where the token device requires the user to press a button which generates a time code which in turn is used to create a new passcode. This form of authentication is normally in addition to the normal username and password which prompts the server to challenge the user for the correct passcode.
Recent use of 2-way authentication includes the Google method where following successful entering of the username and password, Google send a text message containing a passcode to a registered phone number which the user has to enter to be allowed access. Google even give the option not to be asked for the code again when using the same computer to log on. If it is detected by Google that a different computer is being used then another passcode will be generated and sent to the same registered device. Obviously if the password has been stolen, the thief should not be in possession of the mobile phone to receive the text message.
Apple succumbed to pressure to tighten up security by introducing 2-Step authentication for users wishing to make purchases via iTunes and the App Store back in March 2013.
Microsoft are now using the same 2-Step Authentication method by sending out a security code by either email, text or phone call which the user has to input following the original username and password. This one time passcode method requires the user to have registered contact information including a landline telephone number or mobile number.
This article on 2-Step Authentication was written by David Christie, MD at NSTUK Ltd, Website http://www.nstuk.com. NSTUK Ltd offer a range of Data Networking Instructor-Led Training Courses including VoIP and SIP, and deliver those courses within the UK and throughout the World.