Welcome to the first article in a series dedicated to two factor authentication (2FA)!

Right off the bat, let me assure you that this series won’t just be a bunch of posts telling you which services support 2FA and which don’t. For that, check out the incredibly useful twofactorauth.org. Nor will this series be a set of tutorials on how to enable 2FA for a bunch of websites. For help there, check out the handy TurnOn2FA.com.

Instead, this series is going to take a deep dive into understanding how the most common implementations of 2FA actually work so that you can make more-informed decisions about how to protect your online accounts.

Many services try to encourage their users to enable 2FA with some variation of a similar message: “2FA adds an extra layer of security to your account on top of your password.” What does that actually mean, though? The message doesn’t explain how 2FA improves security nor what risks it addresses. Some services communicate a clearer message: “This means that even if someone stole your password, they would be unable to access your account without your mobile device.” That might motivate some users to enable 2FA, but, sadly, the vast majority of users still don’t use 2FA at all. In fact, most people don’t even know what 2FA even is. Education is a critical part of the solution and that is where I hope this series can help.

There are already some great resources out there for users to learn about 2FA. The sites I mentioned above help users take action once they accept that 2FA is important to enable. However, if you are like me, then any time someone tells you to do something, you ask “why”? I have always found it incredibly useful to understand how something actually works before I can appreciate more abstract advice. To that end, the Electronic Frontier Foundation (EFF) has an excellent guide discussing Common Types of Two-Factor Authentication on the Web. This series will expand on that background and break things down even further.

You may be wondering: What does 2FA actually protect you from? What does it not protect you from? What are the common implementations and how do they actually work? Why are some better than others? What are the security and usability tradeoffs?

If you are an end-user, then this series will help you understand exactly how 2FA protects your accounts and prepare you to assess the 2FA methods available on the services that you use. If you use a service that does not yet offer 2FA, then you will know more than enough to confidently ask that provider to implement 2FA so that you can better protect your account from getting hijacked.

If you are a service provider, then this series is definitely for you too! Understanding the technical and user experience (UX) details of how each 2FA implementation works will help you make sure that the 2FA methods you offer to your users meet your requirements and theirs.

What is 2FA?

There are three commonly accepted authentication factors, or categories, used to prove your identity when logging into a service. They are:

1. Knowledge (something you know, such as a password or PIN)
2. Possession (something you have, such as a smartphone, security key, or other trusted device)
3. Inherence (something you are, such as a face, a fingerprint, or an iris)

Although any combination of two of these factors is considered two factor authentication (2FA), typically 2FA refers to the knowledge factor and the possession factor. Biometrics have become more popular with the rise of smartphones in recent years, but they are rarely used when logging into a remote website. That may change in the future, but for now, we’ll define 2FA in this context to mean something you know and something you have.

The reason that requiring both factors together greatly increases security is that they each have different threat models. A threat model is simply a prioritized list of all the different ways that a hacker might attack, or try to compromise, the authentication factor. Hackers will try simpler methods that have a higher chance of success first before bothering to launch more difficult and targeted attacks against individual users. Most security solutions are not able to eliminate all risk; instead, they reduce the risk as much as possible according to the threat model.

If hackers remotely steal your knowledge factor (e.g. password), then they still shouldn’t be able to get into your account because they won’t have physical access your possession factor (e.g. your trusted device).

Observant readers will notice I used some hand wavy wording there when I said “shouldn’t be able to”. That will become an unfortunately common theme throughout this post because each 2FA implementation has different strengths and weaknesses which allow it to resist certain attacks while remaining vulnerable to others.

The rest of this article will outline some of the many ways in which hackers can steal your password. Understanding just how easy it is to compromise the knowledge authentication factor should make it clear why 2FA is so important to enable on all of your accounts.

“I reuse passwords between multiple websites.” 2FA can help you the most!

If you have ever used the same password on more than one website, you are not alone. Pew Research found that “39% [of people] say that they use the same (or very similar) passwords for many of their online accounts” and LastPass found that same metric to be as high as 61%! It is understandable why people reuse passwords, considering how difficult it would be to remember a different password for each and every account that we have online. LastPass also found that the average business user had 191 passwords to keep track of. Your membership in this unfortunately large group, however, is not a good thing. Password reuse is an extremely dangerous practice that puts each account sharing the same password at significantly greater risk of getting hijacked by hackers. Let’s take a look at why that is the case and how 2FA can protect your accounts from getting hijacked.

In this example, let’s consider two completely fictional online services. We’ll call the first completely made up service “Google”. Assume that “Google” has a team of very talented engineers, takes security seriously, and follows all of the best practices for storing passwords securely in their database. Let’s call the second completely made up service “A Site About Cats”. Because they have a less experienced team that is possibly uninformed of the best practices, “A Site About Cats” stores passwords insecurely in their database.

Pretend that you have an account on each service and you share the same password between both accounts. Unfortunately, “A Site About Cats” has a data breach and hackers download all of the data in the database. We won’t get into the details of best practices on how to store passwords just yet, but remember that “A Site About Cats” didn’t follow those anyway. Suffice to say, hackers now have the username and password for your account. You do love cats, but losing access to your account on that service isn’t the end of the world.

However, since most sites use your email address as a username, the hacker can trivially try the same compromised credentials on your “Google” account. Since it shares the same password, your account is now hijacked and likely lost to you forever. The breach of “A Site About Cats”, a service that you didn’t take nearly as seriously, has put at risk any of your accounts on any other service where you used the same password. Imagine if someone got control of other social media accounts, your bank account, or a service that stores your medical records. Not a happy prospect.

The password tip here is: every account should have a unique password.

However, we didn’t follow that advice in this example, so where does that leave us?

If your account on “Google” had 2FA enabled, then your account would remain safe! Remember, the first authentication factor is the knowledge category (i.e. the password) and the hackers stole that remotely online. The second authentication factor is the possession category (i.e. your phone) and hackers shouldn’t be able to steal that remotely. Without physically stealing your trusted device, hackers won’t be able to provide the necessary evidence for the possession factor during login and your account won’t get hijacked.

Observant readers will notice that I said “shouldn’t be able to steal that remotely”. Sadly, some common 2FA implementations do not strictly meet the definition of “something you have” and are therefore vulnerable to remote attacks. Stay tuned! We’ll address that specifically throughout this series for each 2FA method individually.

“Okay, I don’t reuse passwords anymore.” Kudos! You still need 2FA, though.

After realizing how easy it is to hijack accounts that share passwords, you have now started using unique passwords for each of your accounts. Continuing our example with the two completely fictional services, we can easily see how a data breach at “A Site About Cats” would not put your “Google” account at risk, even if you did not enable 2FA.

Let’s switch things up and consider the scenario where you have not yet enabled 2FA on your “Google” account and they experience a breach. Remember, “Google” has a top-notch engineering team and securely stores your password in the database. Unfortunately, that does not mean that your password is always safe from hackers who downloaded the database! The details of the correct way to securely store passwords in a database deserves its own article (or series of articles) to explain properly, but there are some important concepts that we’ll cover at a high level to make it clear how hackers steal your passwords from a database breach.

To oversimplify, the password that you choose when creating your account is not saved in the database in plain text. If it were, then the hacker would immediately have your password once they breached the database. Instead, the password you chose during account registration is run through a cryptographic hash function and the resulting hash value is stored in the database. Don’t worry, this isn’t a primer on cryptographic hash functions, but there are a few key properties critical to our discussion. First, any input to the hash function will always give you the same output hash value. Second, given the output hash value, it is computationally infeasible to calculate the original input; it is a one way function. Each time you log into your account, the password you type into the login form is sent through the same hash function and if the output hash value matches what is stored in the database, then the service provider knows you typed the correct password and grants you access!

Even if a password database is compromised by hackers, the database only contains the output hash values and not the plain text passwords. Because the output hash values cannot be used to compute the original input (i.e. your password), hackers will need to spend time and computing resources to determine what your password is. This is essentially boils down to a guessing game. Hackers will run software programs specifically designed to test all possible combinations of letters, numbers, and symbols as input to the hash function and see if the output hash value matches the one in the database. If it matches, then they’ve now got your password! Because of many technical details (and math!) that we didn’t discuss here, this guessing process can actually take hackers a long time, especially as your password gets longer in length.

You won’t be surprised to learn that hackers are quite smart and know this too. They do not actually sit around guessing all possible combinations starting with “a” and then “aa” and then “aaa”, etc. Instead, hackers use many strategies to prioritize their guesses. One strategy is to use something called a password dictionary, which is a long list of plain text passwords obtained from previous data breaches around the internet. If anyone is using one of the common passwords included in the dictionary, then it will be trivial to guess. Hackers also use psychology to develop strategies that target specific ways that humans tend to think up passwords. For example, your birthday, the name of someone you know, your high school, your phone number, a common pattern on the keyboard (“qwerty”), etc. All of these make for extremely weak passwords because those are the first types of guesses that hackers make when trying to crack the output hash value.

The password tip here is: in addition to being unique, passwords should be individually strong. A strong password will typically be longer in length and not follow a predictable pattern.

Let’s bring it back full circle to our current scenario where “Google” experienced a database breach and hackers got the database of password hashes. Even though you used a unique password for both your “Google” account and your “A Site About Cats” account, hackers stand a good chance of guessing your “Google” password because humans are particularly bad at creating strong passwords. Once hackers crack your password hash, your account is hijacked and likely lost forever. That is, unless you have 2FA enabled!

Hackers had to do a little bit more work this time because “Google” was following best practices on storing passwords, but they ultimately still stole your knowledge authentication factor remotely. Without the second authentication factor (i.e. the possession category) they cannot log into your account. Your account is likely still safe because only you have physical access to your trusted device.

Observant readers will again notice that I said “likely still safe”. Some common 2FA implementations are more vulnerable than others when hackers have access to the entire database. Stay tuned! We’ll address that specifically throughout this series too.

A brief interlude: password managers

You may have realized that we’ve spent a lot of time focusing on poor password practices as the motivation for 2FA so far. You might be thinking “why don’t we just teach people to use strong, unique passwords that hackers can't crack and forget about this whole 2FA thing”?

That, is an excellent question!

It would be ideal if everyone used strong, unique passwords for every single account they had online. As we said previously, though, people in general are really really bad at creating strong passwords and also don’t stand a chance of remembering them all. Fortunately, there is a solution!

A password manager can generate strong, unique passwords for all of your online accounts and keep track of them so that you don’t have to. The only thing that you need to remember is a single strong, unique password to unlock the password manager itself.

Using a password manager is a powerful and simple way to drastically improve password hygiene. Alas, password managers have been around for YEARS and are still not commonplace among the average user. In a recent 2017 survey, Pew Research noted that:

Just 12% of internet users say that they ever use password management software themselves – and only 3% say that this is the password technique they rely on most.

The tech community should absolutely continue educating users about good password habits and the benefits of using a password manager, but that has proven to be an unrealistic short term solution.

In the meantime, there is only so much that a service provider can do to ensure that a user is following password best practices. For example, providers can show password meters to encourage users to create strong passwords, but they cannot do anything about a user reusing that “one strong password” on all of their online accounts.

In contrast, a service provider knows whether a user has enabled 2FA and also knows that the 2FA is completely unique to their service so it won’t be impacted by breaches on other services. Considering that service providers cannot force users to change their behavior when it comes to passwords, especially password reuse, 2FA is a very effective way for service providers to encourage (or force) users to better secure their accounts.

Let’s take a look at a few scenarios where both the user and the service provider are doing the “right thing” and see how 2FA stacks up.

“Fine! I use a strong, unique password on each website now!” Excellent! You should still enable 2FA. Really.

Now that you understand the danger of reusing passwords and using weak passwords, you leverage a password manager to create strong, unique passwords for all of your accounts. Excellent! You are now drastically more secure online, but only where you are allowed to be. Come again? Many service providers still enforce draconian password restrictions, such as limiting the length to 10 characters. Practices like this put you at risk by forcing you to choose generally weak passwords and there isn’t anything you can do about it as an end-user. In these scenarios, if the service provider does support 2FA, then it will clearly add additional security to your account. You may be wondering “how can a service provider can get 2FA right when they get passwords so wrong at the same time?”. That is an excellent question to which there are not many good answers. There is no reasonable defense for restricting passwords in this way in a modern system.

Let’s switch things up and consider another scenario using our completely fictional "Google" service. In this example, you are now using a strong and unique password for your account and “Google” is still following best practices for storing passwords. This is the utopia! Everyone is doing the “right thing”. Regrettably, knowledge authentication factors (e.g. passwords) are still vulnerable to other types of attacks. Let’s explore three of the most common: man in the middle attacks, phishing, and malware/keyloggers.

“Hackers stole my password while I was drinking coffee!” 2FA vs Man in the Middle attacks

Imagine that you are sitting in a cafe enjoying a coffee while connected to the free WiFi. This is a prime chance for a hacker to launch a Man in The Middle (MITM) attack, which would allow them to intercept and read all of your web traffic. (A quick aside: HTTPS helps prevent MITM attacks; you should go install HTTPS Everywhere to help with this).

As soon as you enter your username/password and click “login”, the hacker has stolen your password. It doesn’t matter how strong or unique the password was, they literally plucked it right out of the web request that was sent insecurely over the network. Now, they can trivially log into your “Google” account using your username/password.

“But wait!”, you say. “When 2FA is enabled, I still need to somehow prove to the website that I have my phone in my possession. That usually requires sending some additional information to the website during the login process, right? For example, the service might send a code to my cell phone, or I lookup a code from an app installed on my phone. If the hacker can read all of my web traffic, then they could just steal that 2FA code during the login process too, right?”

Indeed, you are mostly correct!

While most 2FA implementations do not protect against MITM attacks, one 2FA method called U2F is significantly more resistant to MITM attacks. Stay tuned! We’ll cover U2F in detail in another article in this series.

The stolen username/password and 2FA code would give the hacker the ability to log into your account a single time. Why just a single time? One critical property common to all 2FA implementations is that each 2FA code is only valid for a short time period, say a few minutes, and can only be used once. Clearly, a hacker logging into your account at all is not a good thing, but all may not be lost!

Some security conscious service providers require users to reauthenticate before performing particularly sensitive actions, such as changing your email address/password/2FA settings, initiating a financial transaction, etc. Such measures would prevent the hacker from locking you out of your account permanently because they would not have a valid 2FA code to authenticate when prompted a second time. Ideally, the service provider would send you an email to notify you that someone tried and failed to take a sensitive action in your account, which would give you the opportunity to rotate your password and revoke the hacker’s active session to kick them out of your account.

Though not all 2FA implementations can prevent MITM attacks from occurring in the first place, it is clear that you’re better off enabling 2FA than not; especially if the service provider has certain security mechanisms in place to reduce the impact and prevent permanent account lockout.

“I accidentally GAVE my password to a hacker!” 2FA vs phishing

As Jimmy Kimmel amusingly demonstrated, the best way to get someone’s password is to simply ask them for it!

This is the exact approach that hackers take when they conduct phishing attacks. Typically, it starts with a user receiving an email that contains a deceptive link. Once the user clicks the link, they will end up on a site that looks like the site they intended to reach, but is actually a fake site controlled by hackers.

Phishing attacks are a massive problem in most industries. The Anti Phishing Working Group (APWG) stated in their 2016 Q4 report that phishing attack campaigns in 2016 shattered all previous years’ records with over 1.2 million phishing attacks, a 65% increase over 2015. To give an example closer to home for all of those Gmail users out there, Google recently found that

Victims of phishing are 400x more likely to be successfully hijacked compared to a random Google user.

After submitting the login form on the fake phishing site, you have literally handed your first authentication factor (“something you know”) to the hackers who can immediately use it to log into your account on the real website. Then, hackers can prompt you for your second factor of authentication (“something you have”) in the same way that the real website would. Most likely, you will successfully complete the 2FA portion of the login, which inadvertently grants hackers immediate access to your account. Keep in mind that all of this is automated by software and can happen in real time. It is incredibly difficult to detect without verifying the URL of the website.

Observant readers will pick up on my qualifying language again. Sadly, while most 2FA implementations do not protect you from phishing attacks, U2F does by default! Stay tuned, as we’ll specifically address phishing throughout the rest of the series.

“Hackers stole my password directly from my device!” 2FA vs malware and keyloggers

In the same recent study, Google also concluded that “the threat posed by credential leaks and phishing is orders of magnitude larger than keyloggers at present.” Though the risk of malware and keyloggers is less than that of phishing, victims of keyloggers are still roughly 40x more likely to be successfully hijacked compared to a random Google user. Clearly, that is still a huge problem!

Malware, which includes keyloggers, might get onto your devices any of a number of ways. You might fall victim to a phishing email and download a malicious email attachment. Or, you might get click happy on a sketchy website. It could even come from a browser extension that you already have installed; if the account of the extension author gets compromised, then malicious code could be pulled down during the next auto update. Regardless of how it gets onto your device, malware can be a huge problem once it is installed.

As the name implies, keyloggers can record every single character that you type on your device. Even if you are securely connected to the legitimate “Google” website, the malware on your computer can locally steal your username/password as soon as you type them in and send them off to hackers. You know the drill once that happens.

Other types of malware could be designed to steal specific information from your device, such as authentication secrets or tokens.

The main way to combat malware is to not get it in the first place by remaining vigilant online and aware of which sites you visit and links you click. Clearly, that isn’t useful advice if your computer is already infected. At that point, the best defense is up to date anti-virus and anti-malware software.

Luckily, some 2FA implementations can help protect your account even if your computer is infected with malware!

Imagine that you are logging into your “Google” account on a device that contains a keylogger. Your username/password will be compromised because they are typed in locally on your computer. Your account could remain safe if you use a 2FA method that is “out of band” (OOB). In that case, you won’t end up typing anything into your malware infected computer, so it can’t be stolen. When using 2FA that is OOB, your knowledge authentication factor (e.g. your password) is sent over a primary channel (e.g. the web connection in your browser), while your possession authentication factor (e.g. your phone), is verified through a secondary channel (e.g. an independent connection from your phone).

Stay tuned to the rest of the series where we will discuss which 2FA methods fall flat when it comes to malware and which are more resistant!

Wrap up

We covered a lot of material in this article. Let’s wrap up with a quick recap.

The term 2FA typically refers to the combination of the knowledge and possession authentication factors. In theory, hackers will have to employ different types of attacks to successfully steal both something you know and something you have.

The knowledge factor (e.g. password) is vulnerable to many different types of remote attacks. The first problem is our own password hygiene. We discussed how 2FA is most helpful if you reuse passwords between accounts and/or use weak passwords that can be easily cracked by hackers in the event of a data breach. Ideally, you should use a password manager to create strong, unique passwords for each of your accounts.

Even for users who practice good password hygiene, there are many other ways that your password can be stolen remotely. 2FA aims to provide better security by forcing hackers to steal something in your physical possession. Unfortunately, many 2FA methods are also vulnerable to different types of remote attacks. Depending on the 2FA method used, your possession factor could be resistant to man in the middle attacks, phishing attacks, and even malware or keyloggers.

Throughout this series, we will dive into the details of the most common types of 2FA. We will explain how each works and discuss whether it can resist these remote attacks. Plus, we’ll highlight some usability tradeoffs to get a better understanding of which method might work best for you (or your users)!

Sign up for the email list to get the next post in the series delivered directly to your inbox! Next up: SMS 2FA!

Thanks to Jordan Fischer and Kristie Butler for reading drafts of this.