With the advent of computer technologies in everyday life, the protection of data transmitted and stored in the network has become a necessity. Along with the hardware and software components, the data protection systems must include authentication tools that can prevent unauthorized access to the accounts.
At first, the usual reusable passwords seemed a quite sufficient protection means. But, it soon became clear that this way of user’s authentication is extremely unreliable. The passwords may be guessed, stolen or accidentally disclosed. This is where the time of two-step authentication has come.
The main problems the 2FA is trying to tackle today boil down to making the two-step authentication process more user-friendly not depriving it of security and reliability. What steps have already been done in this direction, and which are still to come?
The cards with the list of codes (TAN-codes)
At first, the one-time passwords were sent to the users in a quite primitive way. A list of codes was either delivered in person (for example, together with a credit card at the bank) or e-mailed. Each combination of symbols on the card went off only once, and the next time the user had to choose a different temporary password from the list. Of course, sooner or later, all the passwords on a list were used, and the user had to get a new card with TAN-codes for two-factor authentication.
Pros: no pros except for a low price. Thus, the TAN-code cards have almost gone out of use.
Cons: a possibility of theft, a need to update the list from time to time.
Two-step authentication code via SMS
When the cell phones just appeared, they were expensive and only a few could afford such gadget. But over time, the cost of the devices, as well as the tariffs for mobile communications decreased significantly thus increasing the number of the cell phones owners. The temporary passwords and TAN-codes were sent via SMS. SMS authentication is still a fairly common means of the OTP passwords delivery.
Pros: convenient for both a system and a client.
Cons: mobile communication is not always stable, SMS can be intercepted, as well as it’s quite expensive for the company to send messages to its users.
Hardware OTP tokens
Hardware OTP token is currently one of the most secure 2-factor authentication means. There are contact and contactless OTP tokens. The first type requires a connection to the computer’s USB-port. The second type runs free from the Internet and public telephone networks. Thus, contactless OTP tokens are protected from any malicious software and the one-time passwords cannot be intercepted. Lately, there appeared the USB-tokens, which, although inserted into the connector, activate only at the touch of a button (eg, Yubikey). Even if there will be a virus on the computer, the latter will fail to infect this token and use it to intercept one-time passwords.
Recently, Protectimus has introduced a new type of hardware tokens – reprogrammable OTP tokens in the form of the plastic cards of two sizes. Protectimus Slim token of the standard size ISO/IEC 7810 ID-1 (85.6 × 53.98 × 0.76 mm) and Protectimus Slim mini only 64×38 mm in size. These tokens can be easily reflashed with the help of the NFC technology that turns these hardware tokens into the universal one-time password generators, which can be connected to absolutely any authentication system. Find more information on these tokens here.
The modern tokens use different algorithms of the one-time password generation: by event (HOTP), by time (TOTP), “challenge-response” (OCRA). These devices can provide strong authentication for the most important data exchange areas.
Pros: high reliability, the use of complex generation algorithms, PIN-protection in most cases.
Cons: hardware tokens are not free, they can be lost, you need to carry them around constantly.
Applications for OTP generation
The total spread of the smartphones has pushed developers to an idea to create the one-time password generator installed right on the mobile device – according to the principle “All that is mine I carry with me.” Google Authenticator and Protectimus Smart application are good examples.
Pros: convenient, free, PIN-protected, can use different algorithms for the one-time passwords generation (TOTP, HOTP, OCRA).
Cons: you may face certain problems if signing in from the same mobile device where your software token is installed. In this case, the two-step authentication loses its second step. Besides, the smartphone can be infected with the viruses able to intercept the OTP passwords.
What to expect from the two-step authentication in the future
All new 2FA authentication methods that are being developed today have both advantages and disadvantages. Each 2-factor authentication method has its own. For example, the biometric authentication, if not combined with any other method, cannot be considered completely reliable (here you can read why).
As for implanting RFID chips under the skin, which recently has made a lot of noise, this method is relatively expensive and cannot be widely used. Despite its appeal in terms of reliability,
If you will look at things realistically and take into account such parameters as the cost, the ease of use, as well as the protection against hacks and thefts, you’ll see that as of now the usual hardware tokens in the form of the key-fobs and plastic cards are the best option. Besides, they are constantly improved and have great development prospects. Thus, the technology already allows avoiding entering a one-time password. The only thing the user needs to do is to enter the PIN-code to unlock the token. All the rest the device makes itself: automatically sends the OTP password to the system with the help any wireless technology.
The two-step authentication can also be performed with the body-worn tokens – bracelets, pendants, rings. To prevent an unauthorized use, such devices may be complemented with a biometric verification (e.g., pulse). This will serve as another authentication factor since it cannot be misused by another person.
Today, we have several candidates for a title of the most promising authentication means, but it is unlikely we will find one ideal. It can be expected that we will still use different solutions to control user access to the protected information.