Just a quick overview about the difference between two-factor (2FA or TFA) and secondary authentication methods, for those new to the concept. Confusing one method by another can lead to a misguided sense of security. Especially when considering being ‘completely safe‘ is only an illusion.

  1. Glossary
  2. 1. Two-factor auth
  3. 1.1 – Logic
  4. 1.2 – Security
  5. 1.3 – Methods
  6. 2. Secondary auth
  7. 2.1 – Logic
  8. 2.2 – Security
  9. 2.3 – Methods
  10. 3. Multi-factor auth
  11. 3.1 – Logic
  12. 3.2 – Security
  13. 3.3 – Methods
  14. Related stuff

Glossary

Keychain

A password manager such as 1Password, KeyPass, Apple Keychain.

Login

Usually username and password, but sometimes only a password.

OTP

One-time password that is generated from a unique key and the current time (TOTP) or host events (HOTP). Mostly a 5, 6 or 7 digit code, but also available as a hex string (0-9 a-f). Time-based generation is most common at a 30 seconds interval, like the Google Authenticator app does. This requires the clock on both systems to be synchronized, which can easily be achieved by using NTP servers.

Pin

Multi digit code that doesn’t change or only by manual action. It has usually 4 to 6 digits.

1. Two-factor auth

1.1 – Logic

Something you know and something you have.

The idea is that when someone finds out your login or pin code they still need to have the other thing to gain access. It is best known since ancient times as having a physical key to open the first door and then speak a secret passage phrase to have someone open the second door from inside.

In today’s tech world this is very effective when the database containing all user logins was leaked, assuming of course the service didn’t store your generation key. And the other way around when they have your physical authenticator they also need to know what you know.

When the OTP generation key is stored in a different location, for example a hardware device, it still protects the account when your login keychain is compromised.

1.2 – Security

Medium to high

When the second factor is stored in the same place as the first factor it only protects against login theft. If someone found your username and password (sniffed, fishing, hacking or service database leak) or only your username and somehow have access to your email (password recovery) they would still need your second factor to gain access to the target account. Sadly, these are often kept in the same app where the login is stored.

This is the most common application and often mislabeled as two-factor authentication while in reality it is a secondary auth method, because they only need something you know: your login and the keychain password. Both can be often easily derived from the target’s social media accounts or guessed from the most common passwords. Only when the keychain is on a different device or is highly encrypted and requires a physical interaction (i.e. fingerprint) that can’t be escaped, it becomes a two-factor method because then they require something you have.

When an OTP code is received as a SMS text message on a phone, it may seem like a good security method. However, the notifications often mention the code on the phone’s lock screen without unlocking the phone. Anyone with physical access to the phone can read those messages and use it to confirm your identity.

The Yubikey (Yubico)

1.3 – Methods

  • physical key + secret password.
  • login + OTP on a different device
  • smart card + login
  • smart card + pin
  • verification device + login. This device can be a usb-dongle, bluetooth, smart watch, smartphone, Yubikey, fingerprint, iris scan or other biometrics.
  • verification device + pin

Any combination of the above makes it a multi-factor authentication method which can provide a very high security level.

2. Secondary auth

2.1 – Logic

Something you know and something else you know.

Here the idea is to confirm your identity by testing your knowledge.

2.2 – Security

Low

Not many people can remember all the details and thus either choose easy answers like date of birth or favorite artist which can all be found on their Facebook profile, or they store them in their one keychain or write it down somewhere to have it quickly available.

2.3 – Methods

  • login + pin
  • login + OTP on the same device without mandatory biometrics
  • login + sms code
  • login + security questions
  • login + second login at the same or another service
  • VPN + login

3. Multi-factor auth

3.1 – Logic

Multiple things you have and something you know.

Multi-factor authentication (MFA) is a combination of the other two authentication methods which requires multiple physical things or even multiple persons and a bit of knowledge to gain access to a system.

3.2 – Security

Very high

The chance of someone having all pieces of the puzzle in their possession can be very low. These systems often combine a smart card with biometrics scanners like multiple fingerprints (four-finger authentication or 4FA) and face recognition with a physical private-key based OTP generator (things you have) and a special sequence like a certain color arrangement or passphrase (something you know).

Including a waiting time out in the chain can also be one of the security factors as it can test someone’s intentions. A stressed person can become visibly nervous when they don’t get instant feedback about their clearance.

3.3 – Methods

Any combination of the earlier mentioned TFA methods.