• Skip to main content
  • Skip to primary sidebar

Technical Notes Of
Ehi Kioya

Technical Notes Of Ehi Kioya

  • Forums
  • About
  • Contact
MENUMENU
  • Blog Home
  • AWS, Azure, Cloud
  • Backend (Server-Side)
  • Frontend (Client-Side)
  • SharePoint
  • Tools & Resources
    • CM/IN Ruler
    • URL Decoder
    • Text Hasher
    • Word Count
    • IP Lookup
  • Linux & Servers
  • Zero Code Tech
  • WordPress
  • Musings
  • More
    Categories
    • Cloud
    • Server-Side
    • Front-End
    • SharePoint
    • Tools
    • Linux
    • Zero Code
    • WordPress
    • Musings
Home » Musings » An Introduction To Two-Factor Authentication

An Introduction To Two-Factor Authentication

By Ehi Kioya 8 Comments

Hackers continue to think of new ways to get around security blocks on websites. Their goal is to bypass your user authentication process and gain access to sensitive data. Two-factor authentication (also known as 2FA or two-step verification) is one way to stop them in their tracks. This article explains two-factor authentication, the security process, and highlights what you need in order to implement it on your site.

If you’ve ever had your information hacked, you feel vulnerable to future threats. People who don’t understand cyber threats lose trust in even the most commonly visited websites. Building user trust is an important part of generating business and signups on your site. While two-factor authentication isn’t a new type of security, it hasn’t been adopted by many site owners – even though lots of sites today allow users to login. Two-factor authentication can greatly reduce the risk of your customer accounts being hacked. If you store sensitive data on your site, it’s time to consider 2FA for your users’ security.

What is Two-Factor Authentication?

In the security field, there are three factors for identifying a person:

  • Something they know (password)
  • Something they have (smartphone or some other authentication device)
  • And something they are (for instance, a fingerprint)

Typically, webmasters ask for the first item – something the user knows, which is a password. With all the successful hacks in the media, the IT industry decided to introduce a way to verify two pieces of information. This is where the term “two-step verification” or “two-factor authentication” came from.

An Introduction To Two-Factor Authenticaton

2FA involves a password and a device that receives a number unique to the user. Old-school methods used a device that synced with a server. The device displayed a number every 60 seconds, and this number synced with the authentication server. Users were asked to input their password and the pin generated by the authentication device. The problem was that the server and device would go out of sync, and users would have to call a help desk to re-sync their device.

Older methods were effective, but they caused overhead for support and hassles for users. These third-party devices were also expensive since corporations were forced to provide each employee with one. The IT industry came up with new 2FA methods, which companies such as Google and Twitter have adopted.

Implementing 2FA

Most users have a smartphone. So the IT industry built 2FA to take advantage of the fact. Mobile phone two-factor authentication is based on users’ cellular service that allows them to receive text messages. You might run into a few users who don’t have cellular service, but the great majority of your users have a plan that allows them to receive a pin in an SMS text message.

To implement two-step verification on your own site, you’ll need an SMS service where you send a unique pin to the user. This pin should only be sent to an authorized number. In other words, the official phone number for the account can receive a pin during the login process but no alternative numbers can be used until a successful login occurs. If a user forgets his password, he must go through security steps to reset it. Sending a password to an unauthorized device leaves your 2FA open to hackers.

Customer Security

You might wonder what you get for implementing 2FA. It seems like an easy addition to your site, but adding 2FA to a current website will take some time especially with bug fixes.

If you remember, Heartbleed gave hackers the ability to gain unauthorized access to user accounts. This bug was based on a security breach that affected millions of web servers. If users had two-step verification, Heartbleed wouldn’t affect their data. Hackers could gain access to a user’s password, but they wouldn’t have the pin. Effectively, 2FA blocks common hack attempts. The only way for a hacker to bypass 2FA is to have access to the user’s smartphone.

With 2FA, you offer a higher level of security for your users. When serious security breaches affect a large proportion of the Internet, you’ll know that your users are secure. If you store sensitive information, consider 2FA as a part of your website’s authorization process.

Found this article valuable? Want to show your appreciation? Here are some options:

  1. Spread the word! Use these buttons to share this link on your favorite social media sites.
  2. Help me share this on . . .

    • Facebook
    • Twitter
    • LinkedIn
    • Reddit
    • Tumblr
    • Pinterest
    • Pocket
    • Telegram
    • WhatsApp
    • Skype
  3. Sign up to join my audience and receive email notifications when I publish new content.
  4. Contribute by adding a comment using the comments section below.
  5. Follow me on Twitter, LinkedIn, and Facebook.

Related

Filed Under: Musings, Security Tagged With: 2FA, Programming, Security

About Ehi Kioya

I am a Toronto-based Software Engineer. I run this website as part hobby and part business.

To share your thoughts or get help with any of my posts, please drop a comment at the appropriate link.

You can contact me using the form on this page. I'm also on Twitter, LinkedIn, and Facebook.

Reader Interactions

Comments

  1. Brian Nyagol says

    February 18, 2016 at 1:23 pm

    Ehi last time I commented here, it told me that I am a spammer. This is good information. We as programmers need to really take this into consideration. I only want to say that the 2FA work flow needs to be flawless to protect what it is intended to.

    Reply
    • Ehi Kioya says

      February 18, 2016 at 1:47 pm

      Hi Brian,

      Sorry about the message calling you a spammer. I know you’re not 😉
      That was a temporary glitch in the code of my comments section. I have now fixed it. Thanks for coming back.

      I agree that 2FA involves quite a lot to make it achieve its goals. This is just a high level overview of the technology. Maybe someday, I’ll write a more in-depth article and possibly share some code.

      Reply
  2. Andrews Ata Kangah says

    September 12, 2018 at 12:37 pm

    I think every programmer should know your blog and I am really going to spread the word. Sometimes,I just don’t have time to go into the details of all the tech stuff that are currently been used, but as a programmer I need to know. And I find that your blog, alongside your frequent posts on twitter helps me to just achieve this. Thanks a lot and I just subscribed; keep ’em coming.

    Reply
    • Ehi Kioya says

      September 12, 2018 at 1:34 pm

      Thanks for the kind words Andrews. And thanks for subscribing. There’s certainly a lot more to come 🙂
      Watch out for daily updates even.

      Reply
  3. Sal says

    March 13, 2019 at 5:59 am

    Take a look at developer.saaspass.com

    Supports more 2fa methods including scan barcode, push login, mobile web, iOS SDK and Android SDK. There is a RESTful API and SAASPASS Connect (OIDC) as well.

    Reply
  4. Euphemia says

    July 1, 2019 at 10:11 am

    Please, since Google authenticator doesn’t back up ones details on Google cloud, what other 2fA authenticator App can I use. I mean, one that is not phone based. Like, one that even if I lost the phone housing the app, I can still get codes when I get another phone and same app.

    I have information locked up in an exchange just because I lost access to the email I used to sign up, including the phone number that I used to create the email. All this happened because I lost access to my Google authenticator when I lost my phone.

    Reply
    • Ehi Kioya says

      July 2, 2019 at 5:24 am

      Hi Euphemia,

      Google Authenticator works with many different vendors and services including Twitter, Amazon, etc. The method you need to use to regain access to your account will depend on the specific service you’re using Google Authenticator for. With some services, when you first setup Two-Factor Authentication, you receive a backup code in case you lost your phone. If this is the case, just use that backup code to setup Google Authenticator on your new phone.

      If you lost your phone, don’t have a backup 2FA code, and don’t have access to the email used to setup the account, I’m afraid you may need to contact the support guys for the specific service for which you need access. It may take a while since they will need to somehow verify that you’re actually you. But usually, they should be able to help.

      Regards!

      Reply
      • Euphemia says

        July 3, 2019 at 2:32 am

        Thanks Ehi.
        I will go for Sim welcome back. That I think will help me

        Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

25,822
Followers
Follow
30,000
Connections
Connect
14,616
Page Fans
Like

POPULAR   FORUM   TOPICS

  • How to find the title of a song without knowing the lyrics
  • The Art of Exploratory Data Analysis (Part 1)
  • Welcome Message
  • How To Change Or Remove The WordPress Login Error Message
  • Getting Started with SQL: A Beginners Guide to Databases
  • Replacing The Default SQLite Database With PostgreSQL In Django
  • How to Implement Local SEO On Your Business Website And Drive Traffic
  • What is an ESN and how can it go bad?
  • How To Remove Windows 10 Startup Programs
  • Differences Between React and React Native
  • Recently   Popular   Posts   &   Pages
  • Actual Size Online Ruler Actual Size Online Ruler
    I created this page to measure your screen resolution and produce an online ruler of actual size. It's powered with JavaScript and HTML5.
  • Allowing Multiple RDP Sessions In Windows 10 Using The RDP Wrapper Library Allowing Multiple RDP Sessions In Windows 10 Using The RDP Wrapper Library
    This article explains how to bypass the single user remote desktop connection restriction on Windows 10 by using the RDP wrapper library.
  • WordPress Password Hash Generator WordPress Password Hash Generator
    With this WordPress Password Hash Generator, you can convert a password to its hash, and then set a new password directly in the database.
  • Forums
  • About
  • Contact

© 2021   ·   Ehi Kioya   ·   All Rights Reserved
Privacy Policy