August 20, 2020

What is two-step or two-factor authentication (2FA) and how does it work?

Two-step or two-factor authentication is not a new concept. Most of us have used it for example to operate with traditional banking, when we make a transfer and are required a key from a card of coordinates or a code sent by SMS. Also, when we want to get cash from an ATM, we have to enter the card (something we have), and a pin code (something we know).

Two-step or two-factor authentication is also used to increase the security of Internet accounts. This way, when you enter the user password or to execute some actions of some specific service, an additional key is required as a second security layer, making it difficult to gain fraudulent access in case of password theft.

As a general rule, you can choose to receive a key in a timely manner through an SMS message on your mobile or use specific applications such as Google Authenticator or Authy.

Should I use SMS or an app ?

Receiving the key by SMS is less secure, a third person can intercept the text message or simply, using social engineering could convince the phone operator to transfer it to another device. There is also the possibility that you have linked your mobile to your computer, and if it is compromised, a third party could have access to the SMS codes.

An SMS is not something you have, it’s something they send you.

Also, there is a serious flaw in the protocol used by most telecom operators Signaling System Member 7 (SS7). It is used when we make calls, send messages or exchange data over the Internet, and has a totally outdated infrastructure that makes it easy for hackers to redirect calls and messages to their own devices.

When we use a 2FA (second factor authenticator) application, a secret key is entered, provided by the service provider, either manually or through a QR code. This secret key, known as a seed, is a number that is installed in the application and calculates a time-based code from it. This code changes every X seconds. Once the seed is introduced, no internet access is required to work, it is only necessary to have the time correctly synchronized with the internet, since a few seconds difference could alter the final access code.

Therefore, the service provider and your device have the same secret key, and that allows you to replicate the same calculation to generate a time-based code to compare that they match and that it is the legitimate user.

Important note: If you are a victim of phishing, and they capture the result generated by the seed and the exact time, they could deduce the seed by using reverse engineering, so they would have constant access to the key generated by the 2FA. To avoid this, many web portals display the correct page, which must match that of the browser.

laptop with login screen and one hand holding a mobile phone with keys

How do I set up two-factor or 2FA authentication with Google Authenticator or Authy?

The process to configure it is practically the same in all the websites that support this type of verification.

Both applications work pretty much the same way, except that Authy saves all the seeds in one user account. With Google Authenticator, we recommend storing a backup to restore in case of loss or theft.

  • First we will go to the apple store or play store and proceed to download and install Google Authenticator or Authy.

  • We go to log in to our account, and then click on Security in the menu.

  • In the section 2FA, where it says Google Authentication, we will hit the Activate button.

Kuailian Login Screen

  • The system will show us a QR code that we will scan with the application, hitting the “+” button and indicating scan barcode.

screenshot with arrows indicating security and activate google authentication button

  • We introduce the code that the application gives us on the web before time runs out

2 mobile screens with 2 two-factor authentication applications

  • Once these steps have been completed, we already have two-factor authentication enabled. If you get an error, go to the option menu - configuration and select code time correction. This can happen in case there is a difference in the time of the mobile with respect to the time in the server.

The process of activating the two-factor authentication will take no more than 5 minutes and will allow you to sleep more peacefully.

Source: Genbeta