More secure with two-step verification

Rein de Jong

Logging in with a username and password has become less and less secure over the years. Better and faster computers have made it easier to retrieve a password using brute force. Especially when, like many users, you use the same combination of username and password for every login. That way you make it very easy for hackers. Once they find that combination, they can access all those accounts that are secured in the same way. Add to that the security vulnerabilities we hear about every day that have exposed millions of username/password combinations.
Because of this issue, many organizations, websites, computer manufacturers, and mobile device manufacturers offer the option of using two-step verification (Two Factor Authentication, or 2FA) to login. Banks were the first to do this by requiring that you can only gain access to your bank account on the basis of knowledge and possession. In this case your pin code, debit card and the so-called authenticator.

WHAT IS TWO-STEP VERIFICATION?
Two-step verification is a login method characterized by requiring two key parts. Often this requires knowledge of a code and the possession or use of a registered device with which the second code portion is received or generated. So in addition to the username/password combination, a key part (code) is then needed to confirm your identity.
The best-known form of two-step verification is at the bank, where you need both your debit card and your PIN to withdraw money from the wall or pay at an ATM. In addition, most banks also know Multi Factor Authentication when you transfer money. In that case, in addition to the debit card/pin code/fingerprint login, you are also expected to generate a code with an authenticator that you then have to enter.
The implementation of two-step verification varies by organization. Each of the methods has its own advantages and disadvantages. The biggest disadvantage for everyone is: ‘the hassle’. It simply takes more effort to work safely and we don’t really want that extra work.

2FA ON A MOBILE DEVICE
You can use your smartphone as a second factor. The relevant website or service will then send you an SMS with a code that you must enter for verification. You can also receive a message on your phone that you Yes or new must answer or you have to start a special app to generate the code.

In the example above, Facebook uses a second factor by sending a text message. So you have already entered your username and password and you enter the one-time, limited-valid code as generated or received on your phone. Another example is DigiD with SMS verification.

Advantages:
– It is user-friendly;
– You don’t need to bring an authenticator, as the process uses your own mobile device;
– The codes are generated on demand and are only valid for a limited time, making them more secure than static passwords;
– A limited number of attempts are allowed, which reduces the risk of cracking.
Cons:
– If you are outside the range of the GSM network, the code will not reach you;
– Your smartphone may be stolen, lost or damaged;
– Hackers can use sim cloning access the SMS code (this method is called spoofing)
– By sharing your mobile number with the relevant service, you give up privacy.
The above drawbacks can be avoided by using an authenticator app. An auhenticator app generates codes that you can enter as a second factor at a suitable service. The most famous is the Google authenticator. However, if you are not a Google fan, the Authy app is an excellent alternative (pereffect.nl/blog/gids-authy). You link the service to Authy by scanning a QR code at the service and returning the generated code for verification. Authy then generates the code requested by the relevant service as the second factor.
In addition to the mobile versions, Authy also has versions for the desktop. Authy can make backups of the services you have activated that are linked to your phone number and a password. It goes too far here to dwell on Authy; maybe something for a future article. It is not that difficult: a matter of good reading. When you find the English language difficult, DeepL (deepl.com/translator) is your best friend to help you with translation, as an alternative to the well-known Google Translate.

2FA WITH RANDOM READER, SCANNER OR DIGIPAS
Other companies, including many banks, supply boxes with which you can generate a code or on which a continuously changing code is displayed. In the first case, you enter your debit card (not with the Digipas) and PIN code, after which a number must first be entered or a picture must be scanned from the screen. A key is then shown that must be entered on the screen.
The method used by the banks can also be used to log in to companies and institutions that use iDIN. iDIN is a service to identify you with secure and trusted means of your own bank.
Advantages:
– Easy to use;
– No mobile phone needed;
– It can be easily taken along;
– Random readers are interchangeable;
– The code changes periodically, leaving no password to steal.
Cons:
– It is prone to man-in-the-middle attacks (see Wikipedia for an explanation);
– Separate extra device to take with you.

2FA WITH SECURITY KEYS
Security keys mean physical Fido keys. These are special small USB keys that you can hang on a bunch of keys. This protects your accounts. The Fido key is the second factor. Some of the keys also allow you to encrypt email and there are also some that scan and verify your fingerprint in addition to using the key. You can additionally protect the key with a pin code, so that it cannot be used in the event of loss or theft. The service itself will never receive your PIN or fingerprint. A Fido key is therefore the most secure two-step verification method available and can eliminate the need for a username/password combination. That led me to buy one myself: the Yubikey 5 nano. There are now also keys with an NFC chip for mobile use, which I would opt for now.

Advantages:
– Easy to use: a push of a button or finger scan is enough;
– No phone needed, so no phone number to share;
– It can be carried very easily;
– The code changes periodically, leaving no password to steal.
Cons:
– You must always have your Fido key with you or additionally set up a two-step verification for the service;
– It costs money to buy one. But what’s a few bucks for extra security?

SERVICES USING 2FA
Most services and institutions do not (yet) require the use of 2FA, although it would be a lot safer. Here we briefly take a look at one of the best-known agencies that use two-step verification to verify the identity of users when they log in: the government.
But Facebook, Twitter, Google, Apple, Microsoft and Paypal also all use 2FA, even though setting up and logging in all work slightly differently. An explanation of their 2FA method can be found in the following issue of PC-Active: ‘Secure with two-step verification, part 2’.

GOVERNMENT
The government has set up DigiD to identify you unambiguously at institutions that are legally authorized to use Citizen Service Numbers (BSN), such as government institutions, pension funds, education, healthcare and health insurers. Any other company or organization should never, ever ask for your citizen service number, let alone save it!
With DigiD you show who you are when you arrange something via the internet and your data remains well protected. DigiD can be used with only a username and password, but you don’t want that. The easiest way to log in is with the DigiD app, but if you don’t want to or can’t, log in with SMS verification. If you want to view or change extra privacy-sensitive matters with your DigiD, an extra proof of identity is required. That ID check can easily be done by the app when your phone can read the NFC code of your ID. If that is not possible, you can ask someone else to do it for you if they are willing to perform the ID check for you via the Check-ID app.

If you want to do digital business with the government, use of a DigiD is mandatory. You request this and activate it on the digid.nl site. After you have entered your BSN, date of birth, zip code and house number, you can choose a username and password. It is wise to immediately enter your mobile number for an SMS check. If you do not have a mobile number, a landline number is also an option to receive a voice text message. Then all you have to do is enter an email address. There are still some checks to be made. You will then receive a letter at home with the activation code. When everything is complete, activate the DigiD app for your own safety.
On digid.nl there are excellent step-by-step plans for working safely with your DigiD. To ensure that 2FA is always used for your DigiD login, you must of course set this up by logging in to mijn.digid.nl and adjusting the setting there.
If you want to log in to a website with your DigiD, you can choose between logging in with an SMS code or the app. If you choose the app, you open it and, after you click Start entered the pairing code. Then you scan the displayed QR code and after you have finally entered your own PIN code, you will receive access.
As mentioned: in PC-Active 320, published September 24, we describe how to set up 2FA for the services Facebook, Twitter, Google, Apple, Microsoft and Paypal.

2FA AND YOUR EMAIL ACCOUNT
Since your email accounts are the ‘most important accounts’ you have, each account is of course protected with 2FA! Just think how many services have asked you for your email address in recent years. It will make you dizzy! Even if you do not use the email address to log in, it is used as a recovery address. You should therefore secure your mail accounts with a (really) long and unique password. A minimum of fifteen characters, but preferably longer, to withstand a brute force attack. Hackers can cause you a lot of harm and inconvenience when they gain access to your email account. With two-step verification with an observant user, that becomes almost impossible! You should not think that malicious parties have access to your mail. It’s really no fun having to try and clean up such a mess. That will take you days or weeks.

SAME PASSWORD?
And now, now that we use two-step verification everywhere, can we use the same password everywhere again? I understand the thought, but alas; do not do it! If you already have a password that can unlock everything, then only the password you use for your password vault. That is probably the most important password you have. For me, that’s a password that spans over thirty characters and is also protected with 2FA! Do you also use a password vault? Then secure it with two-step verification!
Oh yes, for your own safety it is not wise to mark a device as ‘trusted’. Sure, that’s easy, but it disables two-step verification for that device. So that’s not wise. After all, the goal of 2FA is to protect your personal and financial data. That is negated by marking it as ‘trusted’.

In part 2 of this article in the next issue you will read: how apple arranged its two-step verification