Two-factor authentication

Table of Contents

INTRODUCTION...........................................................................................................................2

1.a What is 2-factor authentication?................................................................................................4

1b. How did 2-factor authentication come about?...........................................................................5

1c. How is 2-factor authentication used by companies nowadays?.................................................6

2. What information security risks are there for companies due to Broken Authentication?..........7

2a. What is Broken Authentication?................................................................................................7

2b. What are the risks of Broken Authentication for businesses?...................................................8

2c. How secure is two-factor authentication for companies?..........................................................9

2d. what classifications are there to estimate how risky which types of 2-factor authentication

can be for companies?.....................................................................................................................9

3. What types of 2-factor authentication can companies use to mitigate the risks of Broken

Authentication?................................................................................................................................9

3a What are the alternatives for 2 factor authentication?..............................................................10

3b How can 2 factor authentication be used securely by companies?...........................................10

4.0 Conclusion...............................................................................................................................11

5.0 Small Summary.......................................................................................................................11

References......................................................................................................................................12
INTRODUCTION

2-factor authentication (2FA) is a safeguard method in which users have to verify themselves by

two separate authentication factors, also called two-step tests or double-factor authentication.

This method helps to protect both the user's credentials and the resources the user can use. The

authentication of two-factor systems is higher than the authentication process depending on a

single-factor (SFA) feature in which only one element, normally a password or passcode, is

given by the user. A password-based user and a second, normally a protection token or

biometrical component, such as a fingerprint or facial scan, are the basis for two-factor

authentication schemes (Wang, 2014). Two-factor verification provides an additional security

component to the authentication process by making it tougher for attackers to enter a person's

device or on-line accounts because having the victim's own password alone would not suffice to

verify authentication. Two-factor authentication is used to track access to confidential

applications and data and internet service providers are constantly using 2FA to protect their

users' accounts for hackers who have breached their login databases or using phishing techniques

to obtain user passwords (Wang and Qing 2015). Many ways to authenticate someone are used

with more than one authentication method. Currently most authentication methods rely on

knowledge variables, such as a standard password, whereas two-factor authentication methods

provide an ownership factor or an intrinsic factor (Eldefrawy and Alghathbar 2011).

 What types of 2-factor authentications are there that companies may have to deal with?

Multi-factor authentication is a security mechanism that allows users to access their user

accounts using two or more verification methods. The app or website can prompt one to
 perform other acts, such as clicking on a connection or entering a one-time passcode that

can be retrieved from one email or mobile phone, aside from oner usual log-in

credentials, such as username and password (Cunningham and Miragliam, 2015).

Hackers would find it more challenging to assess oner accounts with several pieces of

information needed with every log-in. To check the one identity, there are three forms of

information that can be used. Many individuals are more familiar with two-factor

authentication, which is supported by most end-user websites and applications. So the

2FA is the same as the MFA, then? They are not the same. 2FA, however, is a multi-

factor authentication method. Although 2FA places another factor of authentication on

top of passwords, MFA goes beyond two or more methods of validation (Cunningham

and Miragliam, 2015).

In online identity validation, there is no one-size-fits-all authentication approach. Emails can be

phished, fingerprints can be erased, voice registered, and it is possible to lose or steal physical

keys. By combining two or three factors from the above authentication forms, multi-factor

authentication solutions provide an adaptive and stable log-in verification process (Aloul and

Hajj, 2009).

Companies That Utilize MFA

 Facebook

Using MFA on oner Facebook log-in is optional. Among the authentication methods

offered by Facebook include one-time codes via email and SMS. One can have one friend

authenticate oner log-in via "Login Approvals" or identify oner Facebook friends as the

app shows one a set of pictures (Aloul and Hajj, 2009). 

 Apple
 iPhone smartphones from Apple are known for biometrics, including fingerprint and

facial scans. But these techniques can also be hacked. You can raise or dust fingerprints

while the face scans can be faked by the development of 3D models. Worse a single

hacking effort will compromise one for life, because of onerous biometric features.

 Google 

Google has many optional MFA tools, such as single code or links sent to email and SMS

or Google Authenticator download on a single mobile device for end-users. The physical

Titan Security Key, a lightweight, flash drive-like device which uses public-key

cryptography to verify the log-in page's URLs and user identities, is also used by Google

employees (Eldefrawy and Alghathbar, 2011). It is simpler than one would imagine to

enforce a multi-factor authentication in an onerous business. Built-in MFA options

accessible via on-line business applications can be used. An individual MFA provider

like TraitWare can also be chosen to unify and to merge all onerous business logins. This

offers us full management authority for continuing log-ins and more versatility when

picking factors of authentication (Wang, 2014).

1.a What is 2-factor authentication?

Two-factor authentication (2fa) is a mechanism that allows the user to provide two different

types of information to establish access to an online account or computer device (Eldefrawy and

Alghathbar, 2011).

In this sense, a factor means a way to persuade a computer system or online service that one is

whom one say one is so that the system can decide whether one has the right to access the data

services one are attempting to access. The username/password pair is by far the most common

authentication factor in use today, and because most accounts need only a password for entry,

most systems use single-factor authentication for security. One will need to have a password

with two-factor authentication and prove oner identity in some other way to gain access to

Whether through data breaches or bad user practices, as passwords have become increasingly
less secure, more and more users turn to 2fa to secure their digital lives, and many service

providers are now promoting or mandating the change.

Take in mind that it is important to do more to boost online account security before addressing

"what is two-factor authentication" or "2FA." Our digital identities have not shocked criminals

that much of our lives happen on mobile devices and laptops. Malicious attacks on governments,

corporations and individuals are becoming increasingly common. There is also no evidence that

hacks, data leaks and other cybercrimes have slowed down. Fortunately, with two-factor

authentication, also commonly known as 2FA, it is easy for companies, in addition to their user

accounts, to incorporate external protections (Cunningham and Miragliam, 2015).

1b. How did 2-factor authentication come about?

MFA is an automatic form allowing a person to enter a resource such as a request, an online

account, or a VPN with two or more verification factors. Multiple factor Authentication is a form

of authentication. A good IDM (IAM) strategy is a central component of the MFA. An additional

authentication factor is required, which decreases the probability of a successous cyber attack,

rather than simply asking for a username and password. The MFA works by needing more proof

information (factors). One-time (OTP) passwords are among the most common MFA variables

noticed by users. OTPs are also used to receive 4-8 digit codes via e-mail, SMS or a smartphone

app. With OTPs, a new code is produced regularly or every time an authentication request is

sent. The code is generated based on a user seed value when they first register and any other

element, which may be simply a higher counter or time value (Eldefrawy and Alghath,

2011).Two-factor authentication is designed to prevent unauthorized users with nothing more

than a stolen password from accessing an account. Users particularly if they use the same

password on more than one website, can be at greater risk of compromised passwords than they

know. It can also expose a person to password theft by installing software and clicking on links

in emails (Wang, 2014).

A combination of two of the following is two-factor authentication:

One knows something (oner password)

Anything one has (such as a text sent to one smartphone or another computer with a code, or an

authenticator app for a smartphone)

1c. How is 2-factor authentication used by companies nowadays?

For all users, businesses using some cloud-based software and/or making employees sign in with

a virtual desktop should need 2FA. In fact, our bundle includes the installation of software for all

user accounts for our managed service clients that need 2FA as an additional cybersecurity layer

(Eldefrawy and Alghathbar, 2011)

For apps, there are several different choices that allow two-factor authentication for companies.

Many need a passcode sent to their mobile phones for the user to enter. That means that when

signing in, workers would need to have their phones handy. And it takes a few extra seconds to

execute the operation to finish 2FA, no matter the minor inconvenience, it is essential (Aloul and

Hajj, 2009).

A final point to bear in mind is that while 2FA provides a major protection layer, it does not

guarantee that oner data is safe from cyber-attacks. Social engineering and human error pose the

greatest danger to cybersecurity. Continuously educating the staff on how to detect suspicious

behaviour would also help shore up cybersecurity defences in addition to a stable IT

infrastructure. There are several available methods of multi-factor authentication. But all of them

are built to provide a way to prove that a log-in that is different from the password is valid.

Adding a second step to authenticating the identity of users makes it harder for cybercriminals to

access data. This greatly decreases the risk of fraud, data loss and theft detection (Eldefrawy and

Alghathbar, 2011).
2. What information security risks are there for companies due to

Broken Authentication?

There is three major risks of broken authentication: Hijacking, URL rewriting and session

fixation. These are the major risk for the security companies due to the broken authentication and

organization which are running the web pages or social media platform where the data of people

are secure if the broken authentication is broken then the data can be theft and misuse. In the

present data-based environment, the security of data is becoming crucial and vital. If the

programme proceeds throughout the session, the user authentication can be used by the attacker

to retrieve the victim after log-in with the default session ID. The intruder or the victim will

create the server session ID to be authenticated session ID and give access to the secured

services, whether the attacker or the victim will submit the session ID (Cunningham and

Miragliam, 2015).

2a. What is Broken Authentication?

The word broken authentication is used by attackers to impersonate real internet users in terms of

multiple vulnerabilities. In two areas: result from problems and factor endowments, failed

authentication is usually referred to as inadequacies. Both are known as break authentication

since attackers will use either the avenue to conceal the session ID or the log-in credentials they

have stolen. To take full advantage of these vulnerabilities, attackers use a wide range of tactics,

ranging from massive credential stuffing attacks to narrowly tailored strategies aimed at

obtaining access to the passwords of a single user. In recent years, many of the worst data

breaches have been accounted for by broken authentication attacks, and security analysts sound
the alarm about this underrecognized threat (Eldefrawy and Alghathbar, 2011). After 2017, the

Open Web Application Protection Project (OWASP) has listed it in its 'Top 10' list of the

greatest security threats for web applications. Broken authentication had risen to the number two

position by 2020 .

2b. What are the risks of Broken Authentication for businesses?

It is possible to treat the credibility of standard ways of storing usernames and passwords in a

database as fractured authentication. Critical data is migrated to cloud systems, enabling users to

log in from anywhere for ease of access. The accessible-anywhere function makes it difficult to

protect different possible insecure entry points for conventional approaches. However, for

businesses with massive data, following are the risks that they might face due to broken

authentication:

 Broad-based Phishing

 Credential Stiffing

 Spear Phishing campaigns

 Password spraying

 Session Hijacking

Broken authentication protects codes, keys, tokens for sessions, or other user identity entities.

The broken vulnerabilities in user credentials cause attackers to target a single account owner

or group of customer accounts. They get full access to the database if the intruder is

successful, which can affect the victim in many ways. Reputational and financial harm may

be inflicted by the intruder. They will act as an impostor to defame the victim's intimate
 relations, as well. The selling to the other party of the tainted certificates is another

option(Cunningham and Miragliam, 2015).

2c. How secure is two-factor authentication for companies?

In addition to oner credentials and contact information, two-factor encryption and equivalent

two-step authentication, which is often viewed as a separate method and sometimes not, means

one needs another piece of evidence. It's either an SMS code sent to one computer or a code

created by a dedicated authenticator app, most likely in most user applications. One's forced to

present that one is the owner of the one phone and the corresponding cell number as one set up

2FA and that grants one permission to create and collect codes. They won't be able to log in until

hackers have access to oner phone as well as oner email address and password. 2FA codes are

often sent by email, which can often be replaced by a physical item such as a USB key that one

may need to get into one account (as an alternative, Google provides this (Eldefrawy and

Alghathbar, 2011)).

2d. what classifications are there to estimate how risky which types of 2-

factor authentication can be for companies?

There is numerous risk for the companies based on two-factor authentication, and one major risk

is that factors through which authentication is done can be lost, As the second security factor,

imagine that one has SMS codes. It fits perfectly fine for day-to-day bank account checking and

whatnot, but then one's struck by a major storm and left for days or weeks without power.

Imagine the second authentication element is through SMS codes. It fits perfectly fine for day-to-

day bank account checking and whatnot, but one's struck by a major storm and left for days or
weeks without power. While double factor authentication offers additional security, the level of

this additional security is often exaggerated. Some people might also claim that it is almost

uncompromising, but that's just not valid, with a two factor secured account (Wang, 2014).

3. What types of 2-factor authentication can companies use to mitigate

the risks of Broken Authentication?

Such vulnerabilities can allow an attacker to either catch or circumvent the web application's

authentication methods. Allows automatic attacks, such as authenticity stuffing, where a

usernames and passwords list for the attacker is correct. Requires brute power or other automatic

attacks. Allows regular, poor, or common passwords such as "Password1" or "admin/admin."

Includes slow or inefficient credential recovery and lost log-in mechanisms like "knowledge-

based answers" that are unclear Use plain text and encrypted passwords (see A3:2017-Data

Exposure) or weakly hashed passwords. Has incomplete or unsuccessful authentication multi-

factor. Exhibits URL session IDs (e.g. rewriting of URLs). May not rotate session IDs when

logging in successfully. Don't properly disable Session IDs. Durable logout, or time of inactivity,

control devices or authorization tokens (known as single sign-on (SSO) tokens) (Eldefrawy and

Alghathbar, 2011).

3a What are the alternatives for 2 factor authentication?

There are numerous ways which are costly for businesses to implement in for two factor

authentication though the factors which are used for 2TA have to be secure if they are lost then
chances of losing of locking the account risk become higher. Though, securing it with strict

factors can also create risk for locking the account because such factor can be forgotten missed

place or with time did not manage to operate properly. However, in the business environment the

biometric and eye scan is the alternative solution for two factor authentication in business

environment (Wang and Qing, 2015).

3b How can 2 factor authentication be used securely by companies?

Companies using any cloud-based applications and/or staff who have a virtual machine

connection should need 2FA for all users. In fact, our bundle requires the installation of a

programme for all user accounts that needs 2FA as an external cyber protection framework for

our managed service customers. There are various software options that allow companies to

authenticate two factor. Many need the user to insert a pass code that is sent to the mobile

phones. It means the workers must be mobile when signing in. And although it takes a few extra

seconds to execute 2FA, it's significant regardless of the minor downside. Finally, while 2FA

adds an important safety layer, it does not ensure that oner data is safe from cyber attacks. Social

engineering and human error are the greatest risk to information technology(Cunningham and

Miragliam, 2015).

4.0 Conclusion

Hence in conclusion the two factor authentication is secure method commonly used by many

companies which are customer oriented and data oriented to secure the profiles of the business

but when it comes to business the two factor authentication has to be more secure and factors

have to be securely remembered by the individuals so the locking of the account does not
happen. Many authentication mechanisms for multiple factor are available. However both of

them are built to demonstrate that a log-in is valid and that the password is separate. Adding a

second stage in user identity verification makes it harder for cyber criminals to access files. The

risks of malware, data loss and stealing are reduced dramatically. The 2FA, two-stage

verification and multi-factor authentication are also known as two-factor authentication. It is a

way to authentificate oner employees and in the case of a company, each site one are on or

access is authenticated start typing a user log-in and password.

5.0 Small Summary

The two factor authentication is becoming secure way for double securing the accounts though it

is used commonly by the social media platforms and many small businesses however, the factors

has to be designed in the manner that it does not provide the broken authentication because it

increases major threats to user account. in this report different aspect of two factor authentication

has be discussed with examples.

Aloul, F., Zahidi, S., & El-Hajj, W. (2009, May). Two factor authentication using mobile

phones. In 2009 IEEE/ACS International Conference on Computer Systems and

Applications (pp. 641-644). IEEE.

Cunningham, C., Good, T., Kearney, S. P., Miraglia, M., Amundsen, T., Giordano, P., ... & Zhu,

X. (2015). U.S. Patent No. 8,976,030. Washington, DC: U.S. Patent and Trademark

Office.

Eldefrawy, M. H., Alghathbar, K., & Khan, M. K. (2011, April). OTP-based two-factor

authentication using mobile phones. In 2011 Eighth International Conference on

Information Technology: New Generations (pp. 327-331). IEEE.

Jin, A. T. B., Ling, D. N. C., & Goh, A. (2004). Biohashing: two factor authentication featuring

fingerprint data and tokenised random number. Pattern recognition, 37(11), 2245-2255.

Schneier, B. (2005). Two-factor authentication: too little, too late. Communications of the

ACM, 48(4), 136.

Wang, D., & Wang, P. (2016). Two birds with one stone: Two-factor authentication with

security beyond conventional bound. IEEE transactions on dependable and secure

computing, 15(4), 708-722.

Wang, D., He, D., Wang, P., & Chu, C. H. (2014). Anonymous two-factor authentication in

distributed systems: certain goals are beyond attainment. IEEE Transactions on

Dependable and Secure Computing, 12(4), 428-442.

provably secure two-factor authentication scheme with user anonymity. Information

Sciences, 321, 162-178.