What is 2FA
Two Factor Authentication (2FA) is a way to strengthen users authentication.
A good example is when you want to trigger a bank transfer from your bank website: depending on your bank, you may receive a text message on your mobile phone, containing a code that you must put back on the website to confirm the transfer.
The second factor can be a phone, a physical object in your possession, some physical characteristic (biometrics) or a secret that only you know.
A 2FA process comes with some disadvantages: it makes the authentication process more complex, and the second factor has to be “available”, which can be a problem with a mobile. Flat battery, bad network coverage or any other hazard can prevent the process from working properly.
Why using 2FA
According to the recent report from Verizon, Data Breach Investigation Report 2015, 95% of web application attacks involved in security incidents included the use of stolen credentials. “95% of these incidents involve harvesting credentials stolen from customer devices, then logging into web applications with them”.
95% is really huge, almost unbelievable! But we must remember that the report only deals with data breaches incidents, not with other risks like brand damage or business continuity. Other types of incidents might probably not tell the same.
Even if this figure does not give a global overview of web app attacks, it reminds us that authentication is a real challenge and a key focus for attackers.
With usernames and passwords on sale on the black market, attackers can directly log into some applications without having to technically “hack” the website.
With this risk in mind, hardening the authentication process becomes obvious and a two factor authentication is a great solution to recommend.
Not only is 2FA a solution to secure your users’ data, it is a way to reduce fraud on your websites and other web applications.
Where to use 2FA
A two factor authentication is by nature a bit more complex for users than a single (and simple) authentication process.
Obviously, implementing a 2FA everywhere would make the login process more cumbersome. This would be a problem for websites where users need to login quickly and where ergonomics must be as simple as possible to avoid dropouts.
On critical applications (banking, back-office, administration, etc.), a second factor of authentication can be implemented and set as mandatory.
Users will understand the need for improved security on sensitive features and accept the process.
On other features considered as “non critical”, you must weigh the pros and cons, but a 2FA can be implemented as optional.
As an example, Facebook implemented a 2FA on the login process. Are you using it? You can activate it simply in “Settings” -> “Security” -> “Login Approvals”. On top of being optional, the 2FA on Facebook is only triggered when users connect from an unknown browser, which is quite efficient since it does not prompt for the SMS or app code on every login, but only when an unusual connection is attempted.
How to implement 2FA with a mobile
Generate your own tokens
You can choose to generate random and temporary tokens by yourself on your web application, and send them via SMS to your users.
This is a pretty simple solution, but not encouraged for very critical apps, since mobile networks are not necessarily secure (the token could be intercepted).
These tokens can be sent through your preferred mobile text messages service, like Twilio (good API).
How you generate these tokens and how you invalidate them is very important. A flaw in this token generation could compromise the login process.
Modules, packages and other libraries are available on the different programming languages, to implement a 2FA by yourself.
Example with Python Django:
Implementation: https://pypi.python.org/pypi/django-two-factor-auth
Documentation: http://django-two-factor-auth.readthedocs.org/en/1.2.0/
Example with PHP (code snippets):
http://www.sitepoint.com/multi-factor-authentication-with-php-and-twilio/
Using TOTP
The TOTP (Time-based One-time Password) algorithm is a process that computes a temporary code, based on a timestamp.
We won’t go through the details since many resources on the Internet already do, but this algorithm is used by many 2FA systems and is quite reliable.
Learn more about TOTP: http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
Unlike simple tokens over text messages, the TOTP does not send messages (which is more secure), but it requires a third party app on the enduser’s device.
Several services are based on this algorithm like Authy, Google Authenticator, Duo Mobile or Amazon MFA.
These apps detail very clearly how you must implement the server side.
For instance, Authy details the implementation on most common languages and platforms:
https://github.com/authy
If you’re using WordPress or other popular CMS like Joomla, many plugins exist to implement a 2FA with TOTP. Just ensure you choose a good one: check for updates, read reviews, and be sure that it remains maintained over time.
In conclusion, a two factor authentication is a great way to strengthen authentication on you web apps. It is also very simple from a technical standpoint and many users are already used to it, on sensitive feature.
Why not moving forward with it?