Two-Factor Authentication is a way to protect your accounts from hacking. It was first installed on an iOS device. Today, this option can be used for any account. In this post, we will analyze in detail what this tool is, see how it can be used.
Useful links: How to make a presentation correctly: detailed instructions, How to use Instagram from a computer: a detailed manual, How to use a Zoom conference on a computer: FAQ.
Two-Factor Authentication: What It Is in Simple Words
Two-factor authentication is used to identify a user who is trying to open his account on the Internet. This tool is a protection consisting of two layers: login and password, and a code that comes to a mobile phone.
The data of the first stage of protection must be memorized. Second, they are sent one-time to a mobile phone number or a security application.
Thus, a user who applies two-stage account protection counts on high protection against hacking. In addition to SMS, the second line of defense can be a request for biometric data: face recognition, fingerprint scanning.
Despite the development of ways to protect accounts, password and login are a pair that will always be. Today, these components are required when registering accounts in various services.
What objects need advanced protection
As we said, two-factor or (two-layer) authentication makes it harder to access your accounts. It will be more difficult for attackers to get through the two blocking steps when attempting to hack. This protection method is required for:
- service social media accounts;
- personal accounts in government services (government services, pension fund, insurer’s office);
- messengers (WhatsApp, Telegram, Viber);
- bank applications (Internet or SMS banking) and other profiles that store confidential information.
Accounts in smartphones on iOS and Android operating systems also need two-factor authentication. Google and Apple services allow you to make these settings.
Note! If you are the owner of the site and are afraid of losing your account in it, we recommend that you strengthen your protection.
Types of two-factor authentication
There are several types of two-step verification. Each of them can be easily implemented by any user.
For example, on the Vkontakte social network, if there are suspicions of unauthorized entry into the account, in addition to the password and login, an access code or captcha input is requested. This is a form of two-factor authentication.
Let’s take a closer look at what other options exist.
- Username and password plus code from SMS or email. This technique is considered standard and is used for any accounts: on Instagram, VK, Odnoklassniki, etc. Be careful, scammers are gradually bypassing this method of blocking.
- Login and password plus photo. When you try to visit your account, a request is made for a face scan. An additional device linked to the account receives a photo of the one who is trying to get into the account. The user can only confirm or deny the login (if he has not attempted to login to the account).
- Login plus visual label. The latter is a graphical code that you can enter when you log into your account. This technique also has to be controlled on an additional device (smartphone or tablet). It will receive confirmation to login.
- Username plus biometric signal. If a person needs to log into his account on a computer, he must provide the ability to scan his fingerprint, retina, or allow face recognition. This can be done through the webcam that is installed on the computer. If there is none, then an alert will be sent to the tethered smartphone. To do this, it is enough to synchronize the devices with each other and at the same time log into the same account on them.
- A pair of login and password plus hardware device. The latter is usually a Bluetooth system, USB, flash drive, token and other devices. In order to enter your profile, it is not enough just to enter your login and password. Additionally, you need to insert one of the devices into the computer. This action will verify your identity.
- Account information plus metadata. When trying to log into his account, the user must connect the GPS system. Satellites read the user’s location with an accuracy of one meter. Only after that they give permission to enter. It is desirable that the account owner has a separate GPS navigator that can be linked to the phone.
It is also possible to connect temporary access by sending permission to an additional device.
For example, a user can only log into an account from 10:00 to 11:00. The rest of the time, access will be closed. Please note that this method fixes the IP-address of the device from which the authorization in the account is performed.
Advantages and disadvantages of two-step verification
Many users try not to use two-factor authentication for their accounts. They argue that this is a rather lengthy process that complicates access.
In order for you to understand well the seriousness of this protection method, we suggest studying its merits:
- increased account security (as they say, one PIN is good, but two is better);
- if an account is stolen, you will find out about it immediately via a PUSH notification or SMS;
- generates unique codes for each login, while the password remains the same until you change it yourself.
As for the disadvantages of 2FA two-factor protection, there are three of them:
- when setting up identification via SMS code, sometimes you have to wait a long time due to the lack of a cellular signal or technical problems when sending SMS;
- there is a high probability of cloning the SIM card number, as a result – interception of messages with an access code;
- low battery. When sending SMS, the phone may be discharged, so it will be impossible to get the access code, as in fact, and log into the account.
Please note that if you use an SMS code for additional protection, you must enter it for authorization within 1.5 minutes. You will then need to re-request the code.
How to start two-factor authentication
Below are instructions on how to run two-factor authentication for popular social networks and websites.
How to run two-factor authentication for a WordPress site
In order to start additional protection of the WordPress admin panel, you can use a free plugin. To configure, go through the step-by-step algorithm.
- Go to the admin panel of your WordPress site, then click on the “Plugins” section. Click the Add New button.
- In the search box, enter the name of the Google Authenticator tool. Then click “Install”, followed by “Activate”.
- If this plugin is not compatible with your version of WordPress, please update to the latest one or use another plugin. Simultaneously download the app of the same name to your smartphone. Now in the “admin” go to the “Settings” section, click on the plugin you just downloaded.
- Go to the main page of your console, there you will see the QR code and the generated password.
Next, launch the application on your mobile phone, launch the scanner and point it at the QR code. If for some reason you cannot scan, enter the code that will come in the application in the free field.
Each time a user logs into the admin panel, a new one-time code will need to be entered.
How to enable two-factor authentication in VK
If you have a work or personal account in VK, it would not hurt to protect it. We will tell you how to do this in this manual.
- Go through the usual VK authorization, then click on the profile icon and select “Settings”.
- In the security section, click “Connect” in the “Confirmation of rights” section.
Follow the instructions below to ensure 2-level protection. You will receive a message with a code on your phone. Use it to complete the authentication setup.
How to enable double protection on Instagram
In most cases, two-factor authentication for an Instagram account is done using helper apps. The most convenient is Google Authenticator.
You can use the manual configuration method.
- Log in to Instagram from your smartphone. In the profile, find the item “Menu” (three horizontal lines). Then click “Settings”.
- Now find the “Security” section and tap on it. Scroll down the page, select “Two-factor authentication”. Here find the item “Authentication Application”, move the toggle switch in the opposite direction.
- Click “Configure Manually”. If the switch does not appear during the previous step, click “Start”. Copy the generated key into a free input field.
Disable two-factor protection on Apple and Android devices
If you are not afraid to leave your smartphone with all confidential information unprotected, you can disable two-level lock on iPhone and Android. To do this, read the step-by-step instructions for these devices.
- visit the official iCloud cloud storage site;
- enter the code that will be sent to all devices associated with one account;
- go to the “Control” section on the iPhone;
- head over to the official website;
- enter your username and password here;
- in the “Security” section, click on “Change”;
- click Disable Authentication.
A message with a one-time code will be sent to your device. It must be entered in the appropriate field on the website to confirm the deactivation of protection.
- Enter “Settings and go to the“ Accounts ”section.
- Here select the type “Google Account.”
- Click on “Security”.
- In the “Sign in to your Google Account” section, click “Disable Authentication”.
- Click the Disable button two times.
After that, we recommend that you delete all backup codes and passwords for applications that are stored on Android devices.
How attackers bypass even two-step protection
As practice shows, in most cases, hacks occur just on those pages that have two-level verification. As a result, this is what we have.
- Capturing control over an account is performed as follows: go to the mail service address, reset the password. We receive the access code for the blocked device. We ask Siri (voice assistant) to voice the received code. To do this, you do not need to unlock the gadget. We enter the code in the appropriate field, we get access to the mail. From here we are already sending a password reset request from the account itself. Then we successfully change it to our own and freely use the “account”.
- Hacking a personal account on a mobile operator’s website. The fraudster receives answers to questions from the owner of the phone in advance. This method is available for a person who knows who will be the victim of a hack (it may even be an acquaintance or relative). All you need to do is call the operator and answer all secret questions to reset the password. After that, the old cipher is changed to a new one. Then you can use your account: order service packages, SMS, additional services.
- Having a personal phone number of an employee of a large financial company or the owner of a personal account, it is easy to hack the latter. In order to connect services or transfer money to a personal account, an attacker makes a request for a login or password, duplicates a phone number or sets up call and SMS forwarding using special applications. After that, he easily receives all the secret one-time codes. Such an operation is usually performed for the purpose of profit.
Summing it up
From the above, it should be concluded that two-level authentication is even more attractive to fraudsters. Therefore, for more serious accounts, the best option is to manually generate a complex multi-character password, which can also be created using special services. True, after them, the cipher is difficult to remember.
Best regards, Victoria Chernyshenko
specially for the proudalenku.ru project