What is two-factor authentication? Two-factor authentication (2FA) 2 factor authorization

Good afternoon!. Last time I told you in detail how you can protect your flash drive from viruses and malware, today we’ll talk again about protecting your data and services. It's about, oh two-factor authentication, or as it is also called two-factor protection. Which you can find on absolutely any normal service or website. I am sure that this information will be relevant to many, since 80 percent of users simply forget about this, for which they then pay.

What is two-factor authentication (2FA)

Let's imagine a classic situation, using Russia as an example. There is a popular social network VKontakte, which is used by a huge number of people. To access it, most people use a login and password, and since a person is a lazy and naive creature, he is not particularly concerned about the security of his account, which ultimately entails hacking it, thereby losing his account and access, and not a fact, that he would restore it later, since he might not even have tied the phone number to it. But if he had previously configured two-factor protection, then even if the password was compromised, he would not care, since he would still need an additional verification step that is tied to the phone.

Two-Factor Authentication is an additional, robust security process, I would call it advanced authentication, that is required by the user accessing the device or service. Another security key, which can be a security code from SMS, a temporary code generated using a special application. which updates them every 25 seconds.

The role of a bastion of two-factor protection is your mobile phone, the number of which is linked to an account or device, for which it will be an additional means of confirming the identity of the true owner.

How two-factor protection works

Let me describe to you the algorithm for how two-factor protection works. Understanding the principle, it will be easy for you to set it up anywhere, on any service. And so we have a wonderful user Tanya, I love this name. Tanya decided to create an account for herself at Gmail.com. She goes through the registration procedure, where she indicates what login and password she will have when entering the mail. Gmail confirms her registration and activates her username and password with which she will log in.

Tanya logs in to her email, indicating her username and password. Gmail offers her to set up two-factor authentication, by linking to a phone number where she will receive SMS codes, or by installing the Authenticator application, which will generate security codes every 25 seconds; if you haven’t entered it yet, a new 6-digit code will be generated. Tanya installs them and enables two-factor protection.

Now, the next time Tanya logs in, she will need to enter, in addition to the classic security measures (Login and Password), a code from SMS or from the Authenticator utility, also installed on her smartphone. Once she does this, she gains access to the service.

Pros and cons of two-factor authentication

I'll start with the advantages of this technology:

• A very high degree of protection, I would give it 99%, since everything is tied to a phone number, which will be very difficult to compromise
• Always at hand
• Access codes change frequently

Among the minuses we can highlight the following:

• Since everything is tied to the phone number, if it is lost, access to your services will be difficult, although most of them have a recovery procedure, but it is very labor-intensive
• The likelihood of installing or introducing a virus into a device that will transfer your data to attackers
• The device may discharge at the right time
• The mobile phone must always see the operator's network, otherwise it will not be possible to receive SMS or codes.
• There are services that use an additional code sent to email as multi-factor protection, so to avoid being compromised, be sure to enable two-factor authentication on the email itself, otherwise it will be hacked and there will be fun.
• For example, SMS notifications may arrive with a delay, I encountered this with Sberbank or VTB24.

Types of two-factor authentication

Let's look at the main types of two-factor protection implementations that you can easily come across at the moment; they can be updated and expanded over time, but for now there are these:

Which two-factor authentication method 2FA is better?

I won’t go into detail here, I’ll highlight two, and both of them will be linked to your mobile phone. This SMS and Push-notifications and more reliable using programs Authenticator. The advantages are that it’s all free, everyone has a mobile phone, and most importantly, it’s reliable.

Which software Authenticator 2FA to choose?

Let me describe to you which authenticator I would advise you to choose

• Google Authenticator is the most popular authenticator in the world used for two-factor protection, due to the popularity of Google as a company and, of course, the number of services it provides.
• Fido is the second most popular defender (https://www.yubico.com/solutions/fido-u2f/)

How to hack 2FA two-factor authentication

In order to bypass two-factor authentication, hackers use the following methods:

How to restore two-factor authentication

If you have lost your phone and want to restore your access, then the algorithm is as follows:

1. If possible, restore the SIM card and phone faster
2. Before activating the software Authenticator, the services give you secret recovery codes or a QR code, you must have lights
3. If there are no codes, then you will have to write to technical support and prove that you are you, be sure to prepare all your data and documents, but this will work if you have everything correctly and completely filled out, and not just the owner of the megapixar123 account :) )

How to disable two-factor protection?

In general, I do not advise you to disable the two-factor code, in view of the reduction in the security of your data, but if you still decide, then each service has its own procedure, which in 99% of cases comes down to setting a toggle switch in the settings that disables two-step verification so that turn it off. You will also need to indicate a verification code or the answer to a security question. I was with you, Ivan Semin, author and creator of the IT blog site,

Zvorotny star">","icon":"//yastatic.net/iconostasis/_/qOYT2LWpAjy_Ig4gGx3Kn6YO9ZE.svg","type":"service","id":96,"slug":"passport","nameKey ":"96_name"),"alerts":,"documentPath":"passport/authorization/twofa-login.html","doccenter":("html_heads":("sources":("meta":("copyright ":"(C) Copyright 2020","DC.rights.owner":"(C) Copyright 2020","DC.Type":"concept","DC.Relation":"../authorization/twofa. html","prodname":"Passport","DC.Format":"XHTML","DC.Identifier":"twofa-login","DC.Language":"ru","generator":"Yandex Yoda DITA","topic_id":"twofa-login","topic_name":"","doc_id":"passport-guide","doc_name":"Help","component_id":"","component_name":" ","product_id":"passport","product_name":"Passport","description":"","product":"passport","product_realname":"Passport","doc_group":"passport-guide" ,"doc_group_name":"passport-guide","section_name":"Login with two-factor authentication","langs":"uk ru"),"title":"Login with two-factor authentication","js":["/ /yastatic.net/s3/locdoc/static/doccenter/2.295.0/bundles/index/_index.ru.no-bem.js"],"inlineJs":,"css":["//yastatic.net/ s3/locdoc/static/doccenter/2.295.0/bundles/index/_index.bidi.css"],"common":("js":["//yastatic.net/jquery/1.12.4/jquery.min .js"]),,"legacy":("js":["//yastatic.net/es5-shims/0.0.1/es5-shims.min.js"],"css":["//yastatic .net/s3/locdoc/static/doccenter/2.295.0/bundles/index/_index.bidi.ie8.css"])),,"meta":" \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n ","bundle":("styles":"\n ","js": "\n "),,"lang":"ru","title":"Login with two-factor authentication"),"menu":"","document":"

Login with two-factor authentication

1. Login using QR code
2. Transfer of Yandex.Key
3. Master password

Login to a Yandex service or application

You can enter a one-time password in any form of authorization on Yandex or in applications developed by Yandex.

Note.

Login using QR code

If there is no such icon in the login form, then you can only log in to this service using a password. In this case, you can log in using the QR code in the Passport, and then go to the desired service.

Logging in with a Yandex account to a third-party application or website

application password.

Transfer of Yandex.Key

You can transfer the generation of one-time passwords to another device, or configure Yandex.Key on several devices at the same time. To do this, open the Access Control page and click the button Replacing the device.

Several accounts in Yandex.Key

setting up one-time passwords.

restore access.

Fingerprint instead of PIN code

iPhone starting from model 5s;

iPad starting with Air 2.

Note.

master password

Master password

With a master password you can:

make it so that instead of a fingerprint, you can only enter the Yandex.Key master password, and not the device lock code;

Backup copy of Yandex.Key data

You can create a backup copy of the Key data on the Yandex server so that you can restore it if you lose your phone or tablet with the application. The data of all accounts added to the Key at the time the copy was created is copied to the server. You cannot create more than one backup copy; each subsequent copy of data for a specific phone number replaces the previous one.

To retrieve data from a backup, you need to:

have access to the phone number that you specified when creating it;

remember the password you set to encrypt the backup.

Attention. The backup copy contains only the logins and secrets necessary to generate one-time passwords. You must remember the PIN code that you set when you enabled one-time passwords on Yandex.

It is not yet possible to delete a backup copy from the Yandex server. It will be deleted automatically if you do not use it within a year after creation.

Creating a Backup

Select an item Create a backup in the application settings.

Enter the phone number to which the backup will be linked (for example, "380123456789") and click Next.

Yandex will send a confirmation code to the entered phone number. Once you receive the code, enter it in the application.

Create a password that will encrypt the backup copy of your data. This password cannot be recovered, so make sure you don't forget or lose it.

Enter the password you created twice and click Finish. Yandex.Key will encrypt the backup copy, send it to the Yandex server and report it.

Restoring from a backup

Select an item Restore from backup in the application settings.

Enter the phone number you used when creating the backup (for example, "380123456789") and click Next.

If a backup copy of the Key data is found for the specified number, Yandex will send a confirmation code to this phone number. Once you receive the code, enter it in the application.

Make sure the date and time the backup was created, as well as the device name, matches the backup you want to use. Then click the Restore button.

Enter the password you set when creating the backup. If you don't remember it, unfortunately, it will be impossible to decrypt the backup.

Yandex.Key will decrypt the backup data and notify you that the data has been restored.

How one-time passwords depend on precise time

When generating one-time passwords, Yandex.Key takes into account the current time and time zone set on the device. When an Internet connection is available, the Key also requests the exact time from the server: if the time on the device is set incorrectly, the application will make an adjustment for this. But in some situations, even after correction and with the correct PIN code, the one-time password will be incorrect.

If you are sure that you are entering your PIN code and password correctly, but you cannot log in:

Make sure your device is set to the correct time and time zone. After that, try logging in with a new one-time password.

Connect your device to the Internet so that Yandex.Key can get the exact time on its own. Then restart the application and try entering a new one-time password.

If the problem is not resolved, please contact support using the form below.

Leave feedback about two-factor authentication

\n ","minitoc":[("text":"Login to a Yandex service or application","href":"#login"),("text":"Login using a QR code","href ":"#qr"),("text":"Login with a Yandex account to a third-party application or website","href":"#third-party"),("text":"Transferring a Yandex.Key"," href":"#concept_mh4_sxt_s1b"),("text":"Several accounts in Yandex.Key","href":"#more-accounts"),("text":"Fingerprint instead of PIN code"," href":"#touch-id"),("text":"Master password","href":"#master-pass"),("text":"Backup copy of Yandex.Key data","href ":"#backup"),("text":"How one-time passwords depend on the exact time","href":"#time")],"mobile_menu":"","prev_next":("prevItem": ("disabled":false,"title":"Login via email","link":"/support/passport/mail-login.html"),"nextItem":("disabled":false,"title": "Linking phone numbers","link":"/support/passport/authorization/phone.html")),,"breadcrumbs":[("url":"/support/passport/auth.html","title": "Login to Yandex"),("url":"/support/passport/authorization/twofa-login.html","title":"Login with two-factor authentication")],"useful_links":"","meta" :("copyright":"(C) Copyright 2020","DC.rights.owner":"(C) Copyright 2020","DC.Type":"concept","DC.Relation":"../ authorization/twofa.html","prodname":"Passport","DC.Format":"XHTML","DC.Identifier":"twofa-login","DC.Language":"ru","generator" :"Yandex Yoda DITA","topic_id":"twofa-login","topic_name":"Login with two-factor authentication","doc_id":"passport-guide","doc_name":"Help","component_id": "","component_name":"","product_id":"passport","product_name":"Passport","description":"You can enter a one-time password in any form of authorization on Yandex or in applications developed by Yandex.", "product":"passport","product_realname":"Passport","doc_group":"passport-guide","doc_group_name":"passport-guide","section_name":"Login with two-factor authentication","langs" :"uk ru"),"voter":"

Was the article helpful?

No Yes

Specify why:

no answer to my question

the text is difficult to understand

The content of the article does not match the title

I don't like how it works

another reason

Thanks for your feedback!

Tell us what you didn't like about the article:

Send

","lang":("current":"ru","available":["uk","ru"])),,"extra_meta":[("tag":"meta","attrs":( "name":"copyright","content":"(C) Copyright 2020")),("tag":"meta","attrs":("name":"DC.rights.owner","content ":"(C) Copyright 2020")),("tag":"meta","attrs":("name":"DC.Type","content":"concept")),("tag" :"meta","attrs":("name":"DC.Relation","content":"../authorization/twofa.html")),("tag":"meta","attrs": ("name":"prodname","content":"Passport")),("tag":"meta","attrs":("name":"DC.Format","content":"XHTML" )),("tag":"meta","attrs":("name":"DC.Identifier","content":"twofa-login")),("tag":"meta","attrs ":("name":"DC.Language","content":"ru")),("tag":"meta","attrs":("name":"generator","content":" Yandex Yoda DITA")),("tag":"meta","attrs":("name":"topic_id","content":"twofa-login")),("tag":"meta", "attrs":("name":"topic_name","content":"Login with two-factor authentication")),("tag":"meta","attrs":("name":"doc_id","content ":"passport-guide")),("tag":"meta","attrs":("name":"doc_name","content":"Help")),("tag":"meta" ,"attrs":("name":"component_id","content":"")),("tag":"meta","attrs":("name":"component_name","content":" ")),("tag":"meta","attrs":("name":"product_id","content":"passport")),("tag":"meta","attrs":( "name":"product_name","content":"Passport")),("tag":"meta","attrs":("name":"description","content":"You can enter a one-time password in any form of authorization on Yandex or in applications developed by Yandex.")),("tag":"meta","attrs":("name":"product","content":"passport")),(" tag":"meta","attrs":("name":"product_realname","content":"Passport")),("tag":"meta","attrs":("name":"doc_group ","content":"passport-guide")),("tag":"meta","attrs":("name":"doc_group_name","content":"passport-guide")),(" tag":"meta","attrs":("name":"section_name","content":"Login with two-factor authentication")),("tag":"meta","attrs":("name" :"langs","content":"uk ru"))],"title":"Login with two-factor authentication - Passport. Help","productName":"Passport","extra_js":[[("elem":"js","url":"//yastatic.net/jquery/1.12.4/jquery.min.js", "block":"b-page","elemMods":(),"mods":("html-only":""),"__func136":true,"tag":"script","bem": false,"attrs":("src":"//yastatic.net/jquery/1.12.4/jquery.min.js","nonce":"8SC4/+KPXkDGYAMHMFtJPw=="),"__func66":true )],[("elem":"js","url":"//yastatic.net/s3/locdoc/static/doccenter/2.295.0/bundles/index/_index.ru.no-bem.js" ,"block":"b-page","elemMods":(),"mods":("html-only":""),"__func136":true,"tag":"script","bem" :false,"attrs":("src":"//yastatic.net/s3/locdoc/static/doccenter/2. 295.0/bundles/index/_index.ru.no-bem.js","nonce":"8SC4/+KPXkDGYAMHMFtJPw=="),"__func66":true)],[("elem":"js"," url":"//yastatic.net/es5-shims/0.0.1/es5-shims.min.js","block":"b-page","elemMods":(),"mods":(" html-only":""),"__func136":true,"tag":"script","bem":false,"attrs":("src":"//yastatic.net/es5-shims/0.0 .1/es5-shims.min.js","nonce":"8SC4/+KPXkDGYAMHMFtJPw=="),"__func66":true)]],"extra_css":[,[("elem":"css" ,"ie":null,"url":"//yastatic.net/s3/locdoc/static/doccenter/2.295.0/bundles/index/_index.bidi.css","block":"b-page" ,"elemMods":(),"mods":("html-only":""),"__func68":true,"__func67":true,"bem":false,"tag":"link"," attrs":("rel":"stylesheet","href":"//yastatic.net/s3/locdoc/static/doccenter/2.295.0/bundles/index/_index.bidi.css"))],[ ("elem":"css","ie":"lte IE 8","url":"//yastatic.net/s3/locdoc/static/doccenter/2.295.0/bundles/index/_index.bidi. ie8.css","block":"b-page","elemMods":(),"mods":("html-only":""),"__func68":true,"__func67":true," bem":false,"tag":"link","attrs":("rel":"stylesheet","href":"//yastatic.net/s3/locdoc/static/doccenter/2.295.0/bundles /index/_index.bidi.ie8.css"))]],"csp":("script-src":),"lang":"ru")))">

Russian

Ukrainian

Russian

Login with two-factor authentication

To authorize in third-party applications and programs (mail clients, instant messengers, mail collectors, etc.), you should use application passwords.

Attention. Applications developed in Yandex require a one-time password - even correctly created application passwords will not work.

1. Login to a Yandex service or application
2. Login using QR code
3. Logging in with a Yandex account to a third-party application or website
4. Transfer of Yandex.Key
5. Several accounts in Yandex.Key
6. Fingerprint instead of PIN code
7. Master password
8. Backup copy of Yandex.Key data
9. How one-time passwords depend on precise time

Login to a Yandex service or application

You can enter a one-time password in any form of authorization on Yandex or in applications developed by Yandex.

Note.

You must enter the one-time password while it is displayed in the application. If there is too little time left before the update, just wait for the new password.

To get a one-time password, launch Yandex.Key and enter the PIN code that you specified when setting up two-factor authentication. The application will start generating passwords every 30 seconds.

Yandex.Key does not check the PIN code you entered and generates one-time passwords, even if you entered your PIN code incorrectly. In this case, the created passwords also turn out to be incorrect and you will not be able to log in with them. To enter the correct PIN, just exit the application and launch it again.

Login using QR code

Some services (for example, the Yandex home page, Passport and Mail) allow you to log into Yandex by simply pointing the camera at the QR code. In this case, your mobile device must be connected to the Internet so that Yandex.Key can contact the authorization server.

Click on the QR code icon in your browser.

If there is no such icon in the login form, then you can only log in to this service using a password. In this case, you can log in using the QR code in , and then go to the desired service.

Enter your PIN code in Yandex.Key and click Login using QR code.

Point your device's camera at the QR code displayed in the browser.

Yandex.Key will recognize the QR code and send your login and one-time password to Yandex.Passport. If they pass the verification, you are automatically logged in to the browser. If the transmitted password is incorrect (for example, because you entered the PIN code incorrectly in Yandex.Key), the browser will display a standard message about the incorrect password.

Logging in with a Yandex account to a third-party application or website

Applications or sites that need access to your data on Yandex sometimes require you to enter a password to log into your account. In such cases, one-time passwords will not work - you need to create a separate application password for each such application.

Attention. Only one-time passwords work in Yandex applications and services. Even if you create an application password, for example, for Yandex.Disk, you will not be able to log in with it.

Transfer of Yandex.Key

You can transfer the generation of one-time passwords to another device, or configure Yandex.Key on several devices at the same time. To do this, open the page and click the button Replacing the device.

Several accounts in Yandex.Key

The same Yandex.Key can be used for several accounts with one-time passwords. To add another account to the application, when setting up one-time passwords in step 3, click the icon in the application. In addition, you can add password generation to Yandex.Key for other services that support such two-factor authentication. Instructions for the most popular services are provided on the page about creating verification codes not for Yandex.

To remove an account link to Yandex.Key, press and hold the corresponding portrait in the application until a cross appears to the right of it. When you click on the cross, the linking of your account to Yandex.Key will be deleted.

Attention. If you delete an account for which one-time passwords are enabled, you will not be able to obtain a one-time password to log into Yandex. In this case, it will be necessary to restore access.

Fingerprint instead of PIN code

You can use your fingerprint instead of a PIN code on the following devices:

smartphones running Android 6.0 and a fingerprint scanner;

iPhone starting from model 5s;

iPad starting with Air 2.

Note.

On iOS smartphones and tablets, the fingerprint can be bypassed by entering the device password. To protect against this, enable a master password or change the password to a more complex one: open the Settings app and select Touch ID & Passcode.

To use enable fingerprint verification:

Master password

To further protect your one-time passwords, create a master password: → Master Password.

Only lazy people don't crack passwords. The recent massive leak of accounts from Yahoo only confirms the fact that a password alone - no matter how long or complex it is - is no longer enough for reliable protection. Two-factor authentication is what promises to provide that protection, adding an extra layer of security.

In theory, everything looks good, and in practice, in general, it works. Two-factor authentication does make it harder to hack an account. Now it is not enough for an attacker to lure, steal or crack the master password. To log into your account, you also need to enter a one-time code, which... But exactly how this one-time code is obtained is the most interesting thing.

You've come across two-factor authentication many times, even if you've never heard of it. Have you ever entered a one-time code that was sent to you via SMS? This is it, a special case of two-factor authentication. Does it help? To be honest, not really: attackers have already learned how to bypass this type of protection.

Today we will look at all types of two-factor authentication used to protect Google Account, Apple ID and Microsoft Account on Android, iOS and Windows 10 Mobile platforms.

Apple

Two-factor authentication first appeared on Apple devices in 2013. In those days, convincing users of the need for additional protection was not easy. Apple didn’t even try: two-factor authentication (called two-step verification, or Two-Step Verification) was used only to protect against direct financial damage. For example, a one-time code was required when making a purchase from a new device, changing a password, and communicating with support about topics related to an Apple ID account.

It didn't end well. In August 2014, there was a massive leak of celebrity photos. The hackers managed to gain access to the victims' accounts and downloaded photos from iCloud. A scandal erupted, causing Apple to quickly expand support for two-step verification to access iCloud backups and photos. At the same time, the company continued to work on a new generation of two-factor authentication method.

Two-step verification

To deliver codes, two-step verification uses the Find My Phone mechanism, which was originally designed to deliver push notifications and lock commands in the event of a lost or stolen phone. The code is displayed on top of the lock screen, so if an attacker obtains a trusted device, he will be able to obtain a one-time code and use it without even knowing the device password. This delivery mechanism is frankly a weak link.

You can also receive the code via SMS or voice call to your registered phone number. This method is no safer. The SIM card can be removed from a well-protected iPhone and inserted into any other device, after which a code can be received on it. Finally, a SIM card can be cloned or taken from a mobile operator using a fake power of attorney - this type of fraud has now become simply epidemic.

If you do not have access to either a trusted iPhone or a trusted phone number, then to access your account you need to use a special 14-digit key (which, by the way, it is recommended to print and store in a safe place, and keep with you when traveling ). If you lose it too, it will not seem bad: access to your account may be closed forever.

How safe is it?

To be honest, not really. Two-step verification is incredibly poorly implemented and has deservedly earned a reputation as the worst two-factor authentication system of all the Big Three players. If there is no other choice, then two-step verification is still better than nothing. But there is a choice: with the release of iOS 9, Apple introduced a completely new security system, which was given the simple name “two-factor authentication.”

What exactly is the weakness of this system? First, one-time codes delivered through the Find My Phone mechanism appear directly on the lock screen. Secondly, authentication based on phone numbers is insecure: SMS can be intercepted both at the provider level and by replacing or cloning the SIM card. If you have physical access to the SIM card, then you can simply install it in another device and receive the code on completely legal grounds.

Also keep in mind that criminals have learned to obtain SIM cards to replace “lost” ones using fake powers of attorney. If your password is stolen, then finding out your phone number is a piece of cake. The power of attorney is forged, a new SIM card is obtained - in fact, nothing else is required to access your account.

How to hack Apple authentication

This version of two-factor authentication is fairly easy to hack. There are several options:

• read a one-time code from a trusted device - unlocking is not necessary;
• move the SIM card to another device, receive SMS;
• clone a SIM card, get a code for it;
• use a binary authentication token copied from the user's computer.

How to protect yourself

Protection through two-step verification is not serious. Don't use it at all. Instead, enable true two-factor authentication.

Two-factor authentication

Apple's second attempt is officially called "two-factor authentication." Instead of replacing the previous two-step verification scheme, the two systems exist in parallel (however, only one of the two schemes can be used within the same account).

Two-factor authentication appeared as part of iOS 9 and the version of macOS released simultaneously with it. The new method includes additional verification whenever you try to log into your Apple ID account from a new device: all trusted devices (iPhone, iPad, iPod Touch and computers running the latest versions of macOS) instantly receive an interactive notification. To access the notification, you need to unlock the device (with a password or fingerprint sensor), and to receive a one-time code, you need to click on the confirm button in the dialog box.

As in the previous method, in the new scheme it is possible to receive a one-time password in the form of an SMS or a voice call to a trusted phone number. However, unlike two-step verification, push notifications will be delivered to the user in any case, and the user can block an unauthorized attempt to log into the account from any of their devices.

Application passwords are also supported. But Apple abandoned the access recovery code: if you lose your only iPhone along with a trusted SIM card (which for some reason you cannot restore), to restore access to your account you will have to go through a real quest with identity confirmation (and no, a scan of a passport is not such confirmation... and the original, as they say, “does not work”).

But in the new security system there was a place for a convenient and familiar offline scheme for generating one-time codes. It uses a completely standard TOTP (time-based one-time password) mechanism, which generates six-digit one-time codes every thirty seconds. These codes are tied to exact time, and the trusted device itself acts as a generator (authenticator). Codes are obtained from the depths of the system settings of the iPhone or iPad via Apple ID -> Password and Security.

We will not explain in detail what TOTP is and what it is used with, but we will still have to talk about the main differences between the implementation of this method in iOS and a similar scheme in Android and Windows.

Unlike its main competitors, Apple allows only its own devices to be used as authenticators. Their role can be played by a trusted iPhone, iPad or iPod Touch running iOS 9 or 10. Moreover, each device is initialized with a unique secret, which allows you to easily and painlessly revoke the trusted status from it (and only from it) if it is lost. If the authenticator from Google is compromised, then the status of all initialized authenticators will have to be revoked (and reinitialized), since Google decided to use a single secret for initialization.

How safe is it?

Compared to the previous implementation, the new scheme is still more secure. Thanks to support from the operating system, the new scheme is more consistent, logical and easy to use, which is important from the point of view of attracting users. The one-time password delivery system has also been significantly redesigned; the only remaining weak link is delivery to a trusted phone number, which the user still must verify without fail.

Now, when attempting to log into an account, the user instantly receives push notifications to all trusted devices and has the option to reject the attempt. However, if the attacker acts quickly enough, he may be able to gain access to the account.

How to hack two-factor authentication

Just like in the previous scheme, two-factor authentication can be hacked using an authentication token copied from the user's computer. An attack on the SIM card will also work, but an attempt to receive the code via SMS will still trigger notifications on all the user’s trusted devices, and he may have time to reject the login. But you won’t be able to spy the code on the screen of a locked device: you will have to unlock the device and give confirmation in the dialog box.

How to protect yourself

There are not many vulnerabilities left in the new system. If Apple abandoned the mandatory addition of a trusted phone number (and to activate two-factor authentication, at least one phone number would have to be verified), it could be called ideal. Unfortunately, the need to verify a phone number adds a serious vulnerability. You can try to protect yourself in the same way as you protect the number to which one-time passwords are sent from the bank.

Continuation is available only to members

Option 1. Join the “site” community to read all materials on the site

Membership in the community within the specified period will give you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score rating!

To protect your personal data in today's world, you may need to consider increasing the level of security for your digital space using two-factor authentication.

Various online technologies are increasingly being integrated into the life of a modern person. Most of us can no longer imagine ourselves without social networks, smartphones and the Internet in general. We leave a whole bunch of digital traces and personal data on the World Wide Web every day. At the same time, most users do not even think about what will happen if one day they lose access to their “digital world”, which ends up in the hands of attackers...

Some would say that their modest persona is unlikely to interest hackers. However, even accounts from the most seedy social networks are sold on the “black market”. What can we say about, say, your Google account, which contains all your email correspondence, data from your phone and, possibly, links to bank cards?

The saddest thing is that many people rely on “maybe” and use fairly simple passwords to access any serious accounts. And, by the way, there are entire special dictionaries containing thousands of popular passwords, like “1234qwerty” and the like, which allow you to be hacked in a matter of minutes! Therefore, conventional password protection is no longer reliable. It's time to use two-factor authentication!

What is two-factor authentication?

In various science fiction films of Hollywood, we can see how the main character (or villain) first enters a bunch of passwords to access secret data, then applies a special identification card to the reading device, and to top it all off, he also looks through the peephole, where the laser reads the pattern of his retina eyes. But this is no longer science fiction, but the so-called multi-factor authentication.

The traditional multi-factor authentication model involves three main factors (each of which can be duplicated to increase the level of protection):

1. Knowledge Factor. It implies that the access control system receives certain data that only a specific user should know. For example, this could be a traditional “login-password” pair, a pin code, mother’s maiden name, or other information that, ideally, only we can know. Unfortunately, many users do not remember their passwords, but store them on scraps of paper right at their workplace. Therefore, it would not be difficult for a hypothetical attacker to steal them...
2. Ownership factor. Provides that the user has a certain thing that others do not have. Such things may include a unique phone number, a plastic card with a unique barcode or data chip, a USB token or other cryptographic device. Theoretically, it is also possible to steal it, but it is much more difficult. And, given that the ownership factor is usually supported by the knowledge factor (you must first enter a password), the chances of successfully using a stolen device are significantly reduced.
3. Property factor. Uses certain personal qualities to identify the user. Some of the most unique ones include fingerprints, the face in general, the pattern of the iris, or even a DNA sample! Given the proper degree of sensitivity of the testing equipment, it is simply impossible to bypass such protection. However, biometric verification is still far from such perfection, so at the present stage it is usually supplemented with additional access control factors.

In fact, multi-factor authentication is actually three-factor. Accordingly, two-step user verification involves discarding one of the factors. Typically, this is a property factor that requires special biometric equipment to confirm. Two-factor authentication does not require special investments, but can significantly increase the level of security!

Today, the most common type of two-factor authentication on the Internet is linking an account to the user’s phone. In general, we traditionally enter a login with a password, after which we receive a special one-time PIN code on our phone via SMS or PUSH message, which we enter in a special form to access the site we need. Alternatively, instead of a message, you may receive a call from a robot that will ask you to press a particular number on the phone keypad.

Authorization using USB tokens is less common (for example, in modern accounting services). Such a token contains an encrypted key corresponding to a password that is known to the user. When authorizing, you need to connect the token to the USB port of your computer, and then enter the password in a special field. If it matches the one encrypted on the token, authorization will occur.

However, tokens cost money and require periodic key renewal, which is also not always free. Therefore, the most commonly used method of two-factor verification is still telephone verification. And here we will talk about it in more detail.

Two-factor authentication in Windows

Windows 10 is a modern operating system, therefore, by definition, it must contain modern security features. One of these is the two-factor user verification mechanism. This function appeared and disappeared again in some versions of the system, going through a number of improvements, so if you want to use it, be sure to make sure that you have all the updates (especially the KB3216755 patch, which fixed the authentication in the Anniversary Update).

Also, for two-step verification to work, you will need to have an account registered with Microsoft. That is, with a local “account”, alas, nothing will work out...

Now you need to prepare your phone for the procedure. You need to install a special application on it that will receive Windows account login verification signals and confirm them. For Android smartphones, you can choose the official Microsoft Authenticator program, and for iOS devices, the unified Google Authenticator solution (also for Android) is suitable.

After all the preliminary settings, you need to log into your Microsoft account and set it up for two-factor sign-in. The easiest way to do this is by calling in the snap-in "Options" chapter "Accounts". On the first "Email and Accounts" tab, click the link "Manage your Microsoft account", after which you should be redirected to the Microsoft account login page.

A page with settings will open, among which you need to find the group "Two-Step Verification" and click on the link "Setting up two-step verification":

You will see a step-by-step wizard for setting up two-factor authentication, following the prompts of which you can activate two-step user verification when logging into Windows:

Two-factor authentication with Google

After Windows, Android is in second place in popularity among modern users. And most Android devices, as we know, are “linked” to a Google account. It also wouldn't hurt to protect it further. Moreover, the two-factor authentication function for his accounts has been working successfully for quite a long time.

To access the two-step verification settings, you need to log into your Google account, go to the special page and click the button "Begin":

You may be asked to re-enter your account password to confirm access to your settings. After this, a step-by-step wizard will open that will help you set the necessary parameters for two-step account login verification:

All you need to do is enter your phone number (it is most likely already “linked” to your account), receive an SMS with a one-time verification code, then enter the code in a special field and activate the procedure for all subsequent authorizations.

However, logging in with your phone isn't the only two-factor authentication method Google offers. If you have a FIDO Universal 2nd Factor (U2F) token, you can also set up a login to your account using it. Read more about how to do this. Well, of course, you can receive verification codes not only in the form of SMS, but also PUSH messages in the Google Authenticator application we already mentioned above.

Two-factor authentication on social networks

Following general trends, the developers of some large social networks have also taken care of two-factor authentication.

DFA on Facebook

Facebook, being one of the most popular social networks in the West, like Google, has long been offering its users a two-step account login verification function. Moreover, access codes can be received both via SMS and in universal authorization applications. Of these, Google Authenticator and Duo Mobile are supported.

You can enable two-factor authentication on Facebook by going to the settings section

An access control method that requires the user to have two components present at the same time. In addition to the traditional login and password, the two-factor principle involves confirming the user’s identity using what he has. This could be: a smart card, a token, OTP key fobs, biometric sensors, and so on. Most often, for the second stage of identification, a mobile phone is used, to which a one-time access code is sent.

Also, a person’s biometric data can be used as a second identifier: fingerprint, iris, etc. In access control systems, combined (multi-format) readers are used for this, which work with various types of cards and with biometric parameters of users.

Two-factor authentication (World Market)

Two-factor authentication as the best way to protect access rights

In the fall of 2016, SecureAuth Corporation, together with Wakefield Research, conducted a study surveying 200 heads of IT departments in the United States.

The study found that 69% of organizations are likely to give up passwords within the next five years.

"In today's increasingly digital world, even many traditional two-factor authentication approaches are no longer sufficient, let alone password-based Single Factor. The costs associated with cyberattacks cost millions of dollars a year - it is in everyone's best interest to make an unauthorized access is the most problematic," says Craig Lund, CEO of SecureAuth.

99% of respondents agreed that two-factor authentication is the best way to protect access rights.

At the same time, only 56% of respondents protect their assets using multifactor methods. 42% cite resistance from company managers and disruption of the traditional way of life for users as reasons holding back the improvement of the identification strategy.

Other reasons for not adopting an enhanced authentication strategy:

• lack of resources to support maintenance (40%);
• the need to train employees (30%);
• fears that improvements will not work (26%).

"Organizations use legacy authentication approaches that require additional steps for users and are ineffective against today's advanced attacks.", says Keith Graham, Chief Technology Officer at SecureAuth.

Among the measures necessary for inclusion in authentication systems, respondents name:

• device recognition (59%);
• biometric factor (for example, fingerprint, face or iris scanning) (55%);
• one-time secret codes (49%);
• geo-location information (34%).

But two-factor authentication based on one-time SMS passwords has been recognized as ineffective as a result of a sufficient number of successful phishing attacks. The National Institute of Standards and Technology (NIST) recently made an official statement that it does not recommend two-factor authentication using SMS-delivered one-time codes.

Gartner Magic Quadrant for Strong User Authentication

When generating reports, the Gartner analytical agency considers not only the quality and capabilities of the product, but also the characteristics of the vendor as a whole, for example, sales and customer service experience, complete understanding of the market, business model, innovation, marketing strategies, sales, industry development, etc. d.

The result of the assessment is the MAGIC QUADRANT GARTNER (Gartner magic square) - a graphical display of the market situation, which allows you to evaluate the capabilities of products and manufacturers themselves in two directions at once: on the “Vision” scale (vision of how the market is developing and will develop, the ability to innovate) and “Ability to sell” (ability to take market share, sell the system). At the same time, according to key parameters, vendors are divided into 4 groups: leaders, contenders for leadership, forward-thinking and niche players.

When it comes to user authentication, Gartner analysts are seeing increased investment in contextual and adaptive methods. has already occupied a specific niche. Mobile and cloud technologies are in the process of development, accumulating user experience for future developments. According to experts, the future of authenticators is Smart Things.

Note that only three companies presented in the study are present on the Russian market for authentication solutions. These companies are Gemalto, HID Global and SafeNet.

Mobile authentication

84% of users are ready to replace passwords with other authentication methods

Apple has introduced two-factor authentication

Today, many sites support two-factor authentication, since a simple login-password combination does not guarantee an adequate level of security. This became obvious after the iCloud hack.

On September 7, 2014, a massive leak of private photos occurred on iCloud. Using brute force attacks targeting accounts. Apple's response: The company has rolled out two-factor authentication (2FA) for all of its online services.

Prospects for multi-factor mobile authentication

"Using a mobile platform, strong authentication can be implemented in a user-friendly way. The next trend for the mobile platform is to take advantage of secure hardware elements and trusted execution environments. This also applies to (IOT), where higher levels of security are required," says Jason Soroko, security technology manager at Entrust Datacard.

Using only one password is not an effective means of protection; it can be stolen or hacked. The use of additional one-time passwords (on hard media or in the form of SMS messages) increases the level of system security. However, SMS tokens can also be hacked and redirected. For example, using malware such as Zitmo and Eurograbber in combination with Zeus and its variants.

Storing cryptographic credentials in a secure environment, such as hardware-secured elements and trusted execution environments, enables digital identity within the mobile platform: the data does not leave the device and is thus protected from interception. At the same time, the possibility of authentication is preserved using a convenient form factor, which is always in the user’s pocket.

Terminology

Authentication Factors

Information factor (logical, knowledge factor)– i.e. identification code requires confidential information known to the user. For example, password, code word, etc.

Physical factor (possession factor)– the user provides an item he or she owns for identification. For example, or a RIFD tag. In fact, when during the verification process a one-time password is received on a mobile phone or token (pager), this is also a physical factor: the user confirms that he owns the specified device by entering the received code.

Biometric factor (biological, essence factor)– the user provides unique data for identification, which is his integral essence. For example, a unique vein pattern and other biometric features.

Multi-factor authentication is a multifaceted method where a user can successfully pass verification by demonstrating at least two authentication factors.

The requirement to provide more than one independent factor for verification increases the difficulty of providing false credentials. Two-factor authentication, as the name suggests, requires two of three independent authentication factors to be provided for authentication. The number and independence of the factors are important, since more independent factors imply a higher probability that the bearer of the identity card is in fact the registered user with the appropriate access rights.

Strong authentication

Strong authentication implies that additional information must be verified to establish the user's identity, i.e. one password or one key is not enough. This solution increases the level of security of the access control system, as a rule, without significant additional costs or increase in system complexity. Often, the concept of strong authentication is confused with two-factor or multi-factor authentication. However, this is not entirely true.

Strong authentication can be implemented without using multiple independent factors. For example, an access control system that requires the user to provide a password + answer to one or more security questions belongs to the strong authentication segment, but is not multi-factor, because uses only one factor, logical. Also, strong authentication occurs in a biometric system, which requires the user to present different fingers sequentially for fingerprint reading. Thus, Strong authentication is not always multi-factor, but multi-factor authentication is always strong.

In addition, strong authentication is often used to organize access to corporate networks and company Internet resources. In this case, software analysis of user behavior on the network (from the geography of the entry point and the path of transitions within the network, to the frequency of keystrokes) can be used as one of the protection components. If the user’s behavior seems suspicious (out of character), the system may block access and require repeated verification, and/or generate an alarm message for the security service.

Modern users want to have constant access to work resources from any mobile and stationary devices (smartphone, tablet, laptop, home computer), which makes physical access control to work premises ineffective for protecting corporate networks. At the same time, protection with only one password is not a sufficient guarantee of cybersecurity. Strict user authentication for access to company network resources and differentiation of access rights can significantly reduce risks.

“Today, the issue of protection against threats “within our own walls” is acute. 81% of companies have already faced the problem of data leakage due to negligence or intentional actions of employees and other insiders,”- say HID Global experts.

Meanwhile, the number of users who need access to the organization's information and resources is only increasing. In addition to permanent company employees, access is sometimes required by partners, consultants, contractors, customers, etc.

Easy to use and manage, strong authentication systems can work with many different types of users, maximizing the needs of different groups. At the same time, the risks associated with these users’ access to the enterprise infrastructure are reduced.

Multi-factor authentication

Multi-factor authentication is the most effective method of protecting against unauthorized access, since the use of several completely independent factors significantly reduces the likelihood that they will be used simultaneously.

The simplest and most cost-effective solution is two-factor systems that use a combination of physical and logical access factors. For example, password + proximity card, or password + RIFD tag.

There are countless combinations. The more independent factors are used in the system, the higher the level of protection. But the cost also increases proportionally. Thus, multifactor authentication consisting of components: access card + finger + PIN - will cost much more.

Naturally, the reliability of a solution depends on the reliability of its elements. The use of a multi-factor smart card system and biometric readers with live finger technology in the previous version significantly increases its efficiency.

Manufacturers strive to provide the ability to integrate their access control products and software with other elements and devices. Therefore, the composition of a multi-factor authentication system depends solely on the wishes of the customer (usually based on an assessment of the feasibility of increasing the level of protection) and his budget.

Multibiometrics

Multibiometric systems are another example of strong authentication that uses only one factor to protect against unauthorized access - biometrics. However, such solutions are often called multifactor biometric systems, because they use several different biometric characteristics to identify the user. For example: fingerprint + iris, fingerprint + facial structure + unique voice characteristics. Combinations may also vary.

Multibiometric solutions provide an extremely high level of protection, even though it is an extremely labor-intensive task. Not to mention simulating several biometric features of the user at once and bypassing the corresponding anti-counterfeiting algorithms.

The main disadvantage of access control systems with multibiometrics is the high price. However, this does not stop the development of the market for systems that combine authentication using several biometric characteristics in one device.

Miniature, portable, multimodal

A promising American startup, Tascent, has released a device that has a small form factor, but at the same time combines voice, face, fingerprint and iris recognition - Tascent M6.

The new product works on the basis of Apple iPhone 6 or iPhone 6S smartphones and is a case for a phone with a thickness of only 38 mm, which uses a Lightning connector to ensure a reliable, high-speed connection.

Tascent M6 includes a reader for recognizing two fingerprints at once using a Sherlock sensor (Integrated Biometrics), and makes it possible to recognize voices and faces from photographs. Iris recognition, based on the company's own development InSight Duo, is carried out in two eyes at once (is an option). In addition, the device allows for rapid reading of information from universal travel documents including passports, tourist visas and national identity cards.

Portable miniature multibiometric equipment Tascent M6 allows you to store up to 100,000 patterns, weighs only 425 grams (including the weight of a smartphone), has an IP65 protection class and can work for at least 8 hours without recharging. Open architecture and global standards compatibility enable rapid integration and deployment with new or existing systems.

"Our third generation of Tascent Mobile, the Tascent M6, combines the world's leading smartphones with cutting-edge multimodal biometrics technologies to deliver breakthrough mobile biometric capabilities finely tuned to end-user needs. For example, travel, border management, humanitarian aid , law enforcement and civilian ID,"- say the developers at Tascent.

Multibiometrics of vein pattern and fingerprint

ZKAccess recently announced the release of the FV350, the industry's first multi-biometric reader that combines fingerprint and vein pattern reading at the same time. The device is capable of storing the combined biometric data of 1,000 users and performing identification in less than two seconds.

And now there is a new round of development of biometric devices - a flexible fingerprint sensor on plastic, developed for biometric applications by FlexEnable and ISORG.

The multi-biometric sensor can measure the fingerprint as well as the vein configuration of the fingers. The sensitive element has dimensions of 8.6x8.6 cm, a thickness of 0.3 mm, and most importantly can be attached to any surface or even wrapped around it (for example, around a car steering wheel, a door handle or a credit card).

"This breakthrough will drive the development of a new generation of biometric products. No other solution can offer the combination of a large sensing area, fingerprint and vein pattern reading, as well as flexibility, lightness and strength,"- says Jean-Yves Gomez, CEO of ISORG.

Multi-factor authentication via the Cloud

Bio-Metrica has released a new Cloud version of BII, a portable multi-factor authentication system that includes biometrics. Cloud-based BII provides fast deployment, high performance, and the ability to quickly scale up or down a system within hours.

The main advantage of such a multi-system is the absence of the need to build an IT infrastructure (servers, administrative systems, network equipment, etc.) and additional maintenance personnel. As a result, system installation costs are reduced.

This is with a high level of security due to multi-factor authentication, as well as, thanks to the cloud service, large resources in terms of computing power, available RAM, additional network channels, etc.

CloudBII can also be deployed as a hardware installation for . It is this direction that the company intends to actively develop in the future.

Material from the special project "Without a Key"

The special project “Without a Key” is an accumulator of information about access control systems, convergent access and card personalization

Articles