{{Header}} {{Title|title= Two-factor Authentication (2FA) }} {{#seo: |description=How novice and advanced users can benefit from Two-factor Authentication (2FA). Avoiding inaccessible online accounts/logins. Time-based One-time Password (TOTP). "Google Authenticator." Universal Second Factor (U2F) security/physical keys. |image=2FA.jpg }} [[File:2FA.jpg|thumb]] {{intro| How novice and advanced users can benefit from Two-factor Authentication (2FA). Avoiding inaccessible online accounts/logins. Time-based One-time Password (TOTP). "Google Authenticator." Universal Second Factor (U2F) security/physical keys. }} = Introduction = {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px]] | text = You are your email address! If an email address is hacked, the attacker can potentially take over most of your digital identity. This can lead to impersonation on social media and forums, the depletion of banking/credit/shopping accounts, access to cloud storage services or password managers, and more. }} {{mbox | image = [[File:Ambox_notice.png|40px]] | text = 2FA is beneficial even for advanced users that have the capability to easily detect phishing attempts. The reason is email addresses used for (financial) service sign-up can be hacked due to factors outside of an individual's control, such as database leaks, malicious insiders and so on. In that case 2FA will still afford protection to accounts. }} == Definition == Even users who are knowledgeable about [[Social_Engineering|(spear) phishing]] can benefit from two-factor authentication (2FA). 2FA and similar terms are encompassed under the broader multi-factor authentication (MFA) definition: https://en.wikipedia.org/wiki/Multi-factor_authentication
Multi-factor authentication ... is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorised third party that may have been able to discover, for example, a single password.2FA can be used to strengthen the security of online accounts, smartphones, web services, access to physical locations and other implementations. By requiring two (or more) separate and distinct forms of information/identification before secure access is granted to something, this minimizes the threat posed by malicious actors. 2FA relies upon a combination of two of the following: https://www.investopedia.com/terms/t/twofactor-authentication-2fa.asp * something you know -- like a password * something you have -- like a code sent to a smartphone or smartphone authenticator application * something you are -- such as biometric markers (fingerprints, face or retina scans) A familiar example of 2FA is the withdrawal of money from an Automatic Teller Machine (ATM). To withdraw cash it is necessary to present a valid credit or debit card (something you have), and to enter a Personal Identification Number (PIN; something you know) for a successful transaction. Although this increases overall security, this procedure is vulnerable to attacks such as [https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/skimming ATM skimming]. In this attack:
* ATM skimmer devices usually fit over the original card reader. * Some ATM skimmers are inserted in the card reader, placed in the terminal, or situated along exposed cables. * Pinhole cameras installed on ATMs record a customer entering their PIN. Pinhole camera placement varies widely. * In some cases, keypad overlays are used instead of pinhole cameras to records PINs. Keypad overlays record a customer’s keystrokes. * Skimming devices store data to be downloaded or wirelessly transferred later.https://pixelprivacy.com/resources/two-factor-authentication/ 2FA is not foolproof because hackers can potentially access these authentication factors via malware, account recovery procedures, phishing attacks, [https://en.wikipedia.org/wiki/Man-in-the-browser browser vulnerabilities] and [[Warning#Man-in-the-middle_Attacks|Man-in-the-middle Attacks]]. It is also possible to intercept text messages that are sent as part of a 2FA procedure. This is why MFA is more secure than 2FA -- more than two factors are required before account access is granted. == Digital Identity == Consider what would happen if: * you immediately lost access to your email address * a malicious third party had exclusive access to your email address while you did not These hypothetical scenarios reinforce that a digital identity is centered around the inviolability (security) of personal email addresses. For many purposes, it's a trust anchor. Malicious actors who control your email address also have major control over most of your digital life. As noted in the [[Basic_Security_Guide_Introduction#Hacked_Email_Account|Essential Security Guide Introduction]] chapter:
Just one breach of an online email service permits the theft of valuable personal data, account/contact harvesting, re-sale of retail accounts, spam and much more. An email account is a particularly weak link, since once under the attacker's control they can reset the password, along with the passwords of many linked services and accounts.Feasible consequences of an email breach include: https://www.rd.com/list/what-hackers-can-do-with-email-address/ https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/ * Employment: forwarding of work documents and work email; access to Fedex, UPS, Salesforce or related accounts; employer/colleague details; a hack of the victim's employer; and sending a termination letter to an employer, employees, landlord, mobile carrier, banks etc. * Financial: access to bank accounts; reset of accounts for malicious transactions; financial accounts/loans made in the victim's name; email account ransom; personal credit score harm; changed billing arrangements; cyberheist lures; and blackmail/extortion opportunities against the owner of the hacked account. * Harvesting: all email and chat contacts; access to file hosting accounts; Google Docs, MS Drive, Dropbox and other accounts; software license keys; social security number and other information for identity theft; and password recovery requests to all social media and other accounts. Password recovery may not even be necessary because many Internet users tend to use the same passwords for multiple accounts. * Privacy: access to personal name and history; personal messages, calendar, photos, Google/Skype chats; call records (plus mobile account); your location (plus mobile/i-Tunes); names of friends and family members; the threat of real-world stalking; and potentially political views, travel and favorite places. * Spam: commercial email; phishing; malware proliferation; stranded abroad, email signature and Facebook/Twitter scams; and other malicious emails/messages requesting funds/cryptocurrency transfers to help "solve" non-existent scenarios. * Reputation: reputational harm due to uploading of indecent communications, photos, videos to social media/other websites; sending of inappropriate e-mails; and catfishing romantic partners. A catfish is someone masquerading as somebody else to create false identities, often to pursue deceptive online romances. * Retail Resale: Facebook, Twitter, Tumbler, Macys, Amazon, Walmart, i-Tunes, Skype, Bestbuy, Spotify, Hulu+, Netflix, Origin, Steam, Crossfire and other accounts. The multiple, serious consequences of an email breach emphasize the importance of properly configuring 2FA for both accounts and password managers to minimize the potential damage. It is also recommended to: * use strong and unique [[Passwords#Generating_Unbreakable_Passwords|passwords]] for all accounts * avoid the use of email accounts as a login for other accounts * limit information shared over email * avoid typing your email password on public WiFi networks = Common Misconceptions = '''Table:''' ''Common 2FA Misconceptions'' https://www.wired.com/insights/2013/04/five-myths-of-two-factor-authentication-and-the-reality/ https://web.archive.org/web/20201108134652/https://thecybersecurityplace.com/6-myths-about-two-factor-authentication/ https://www.stuff.co.nz/business/opinion-analysis/300221352/3-common-misconceptions-about-twofactor-authentication https://www.yubico.com/blog/internet-security-myth-busters-debunking-3-common-misconceptions-about-two-factor-authentication/ See also: [https://www.wwpass.com/pdf/docs/2FAsCostlyMisnomersAndMisconceptions.pdf 2FA’s costly misnomers and misconceptions]. https://kripeshadwani.com/best-2fa-apps/ {| class="wikitable" |- ! scope="col"| '''Misconception''' ! scope="col"| '''Description''' |- ! scope="row"| 2FA requires Google | Google authenticator is the most popular 2FA implementation, but not the only one -- Google software is not necessary to take advantage of 2FA. Many services link to and recommend Google authenticator, but any Time-based One-time Password (TOTP) implementation will work, see: [[#Software Choices|Software Choices]]. |- ! scope="row"| 2FA is a quick fix to protect against future breaches | Sites cannot simply "turn on" 2FA; deployment requires tokens to be issued or cryptographic keys embedded in other devices. If 2FA is deployed, many users will not have the means to log in, or if it is voluntary, some will not bother enabling this security feature. |- ! scope="row"| 2FA is invulnerable to most threats | 2FA does improve security but it is imperfect. For example: * 2FA technologies may prompt users to approve various transactions; inattentive users might approve an attacker's transactions without realizing. * Third-party authentication tokens rely upon the security of the issuer (who can be breached). * 2FA relying on text messaging (SMS) depends upon the security of the mobile provider; malware on a phone can intercept SMS messages and send them to an attacker. * Malware can still steal session tokens when 2FA is enabled, though depending on the service, attackers may not be able to achieve as much with session tokens when 2FA is enabled because sensitive actions will require reauthentication. |- ! scope="row"| 2FA always requires the use of a second device | Single device 2FA is possible, for example keying information with a smartphone application that prompts the user for something they know. This means a second device is not needed to receive one-time passwords. |- ! scope="row"| Most 2FA solutions are similar | This is incorrect. 2FA solutions can rely on hardware tokens that produce one-time passwords, emails, SMS messages, mobile applications with cryptographic secrets (like Google Authenticator, Defender Soft Token etc.), keying information stored in a user's browser, physical security keys (like a Nitrokey) and so on. |- ! scope="row"| 2FA is unnecessary; strong and unique passwords are sufficient | As noted in the introduction, this is demonstrably false. For example, phishing attacks, [https://en.wikipedia.org/wiki/Man-in-the-browser browser vulnerabilities] and [[Warning#Man-in-the-middle_Attacks|Man-in-the-middle Attacks]] can lead to the recovery of passwords. 2FA is recommended for all accounts -- even your password manager -- for an extra layer of security. This way hackers need to overcome two barriers instead of one to access an account. |- ! scope="row"| All 2FA is equally strong | This is incorrect. For example, SMS and mobile authenticator applications are vulnerable to SIM swapping, mobile malware, phishing scams, and [[Warning#Man-in-the-middle_Attacks|Man-in-the-middle Attacks]]. On the other hand, Google researchers found that no users relying exclusively on physical security keys were victims of targeted phishing campaigns (since physical key access is required to log in). https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html Device-based challenges like SMS codes, security keys and on-device prompts were generally more effective against automated bots, bulk phishing attacks, and targeted phishing attacks. Less useful were knowledge-based challenges like a secondary email address, phone number, or last sign-in location. |- ! scope="row"| 2FA is complicated and time-consuming | The right 2FA solution for a user's security needs can be simple to use, and does not always involve using one-time passwords. For example, a physical security key may only require one touch or tap of the key to log in. |- ! scope="row"| 2FA requires an Internet connection | This is incorrect. For example the TOTP authentication mechanism does not require an Internet connection. |- ! scope="row"| TOTP and HMAC-based One-Time Passwords (HOTP) are identical | TOTP and HOTP are distinct: * TOTP codes are time-limited and generally remain active for 30 to 60 seconds. They become invalid if not used within that timeframe. Examples are Authy, Google Authenticator and others. * HOTP codes are event-based; codes remain active until a new code is requested. One example is the Nitrokey implementation. |- |} = 2FA Configuration and Options = Before configuring 2FA for online accounts, it is worth considering the most common methods in use by websites, the relative strengths and weaknesses of each implementation, and various configuration options. Depending on the website, more than one 2FA method may be available. 2FA may also be referred to as "login verification" (Twitter), "login approvals" (Facebook), "SafePass" (Bank of America), "2-step verification" (Google and others). Most popular websites provide 2FA -- the Electronic Frontier Foundation (EFF) provides detailed guides for the following services: https://www.eff.org/deeplinks/2016/12/12-days-2fa-how-enable-two-factor-authentication-your-online-accounts
WYSIWYS
)].
= Warnings =
== Threat Model ==
'''Table:''' ''2FA Threat Model''
{| class="wikitable"
|-
! scope="col"| '''2FA Protection Level'''
! scope="col"| '''Description'''
|-
! scope="row"| Full protection
| 2FA is effective when:
* A user email address is compromised due to either the email provider being hacked or a rogue employee. In this case the attacker could potentially impersonate the user, or use the password recovery option of external services such as other email services, financial services, (social media) accounts, and so on. However, the attacker would not have the necessary 2FA one-time passwords.
* Users fail victim to [[Social_Engineering|(spear) phishing]], for example when a login password (and maybe even the 2FA code) is sent by email to an attacker. By the time the attacker receives the message, the 2FA code will be either missing (if not sent by the user) or if lucky, may have already expired.
* Account logins are only protected by weak passwords, because 2FA acts to make login security stronger.
* [https://en.wikipedia.org/wiki/Shoulder_surfing_%28computer_security%29 Shoulder surfing] leads to disclosure of the password; the password in isolation does not allow logins.
|-
! scope="row"| Partial protection
| 2FA ''might'' work when:
* Password databases of third party services -- such as banks and cryptocurrency exchanges -- are compromised (because the 2FA database is not compromised by the attacker). In these cases there is still a probability of losing funds, but the risk is lower.
* An email provider is compromised -- such as a server compromise by an attacker or a rogue employee -- leads to unauthorized access to an email address, which is often enough to reset passwords. Depending on the third party service policies, changing 2FA credentials might not be easy. In these cases, an account compromise of the third party service might be preventable.
|-
! scope="row"| Ineffective protection
| 2FA is ineffective if:
* The user's device is already infected by [[Malware and Firmware Trojans|malware]]. In that case a trojan horse can simply take over the login session without the user's knowledge.
* Users are tricked into giving up OTP tokens via an [https://krebsonsecurity.com/2021/09/the-rise-of-one-time-password-interception-bots/ OTP Interception Service] OTP Agency customers would enter a target’s phone number and name, and then the service would initiate an automated phone call that alerts that person about unauthorized activity on their account. The call would prompt the target to enter an OTP token generated by their phone’s mobile app (“for authentication purposes”), and that code would then get relayed back to the bad guy customers’ panel at the OTP Agency website.or [https://www.schneier.com/blog/archives/2005/03/the_failure_of.html MITM] https://citizenlab.ca/2015/08/iran_two_factor_phishing/. |- |} == Security Issues == In general, 2FA increases the difficulty of being hacked and it is considered the best practice for keeping accounts and systems secure. Users with higher security needs can employ MFA -- three or more levels of authentication -- to further decrease the chances of a successful attack. As noted in the [[#Implementations|Implementations]] section, it is safest to rely on FIDO U2F / physical keys or if that is unavailable, authenticator applications / TOTP 2FA or push-based 2FA. All other methods are unrecommended. It is worth reiterating that SMS-based 2FA should be avoided due to the risk of [[Mobile_Phone_Security#SIM_Swapping_Attack|SIM Swap Scams]] and [https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber malicious SMS re-routing] as mentioned on the [[Mobile Phone Security]] wiki page. Although SMS and automated phone calls with one-time codes remain a popular 2FA method, there are many examples where hackers tricked mobile phone carriers into transferring somebody else's phone to their own; they then have access to authentication for that phone number. Another related risk is the rise of automated bots that call users and request MFA codes or one-time passwords to "prevent fraud" on various accounts. [https://www.vice.com/en/article/y3vz5k/booming-underground-market-bots-2fa-otp-paypal-amazon-bank-apple-venmo The Booming Underground Market for Bots That Steal Your 2FA Codes]:
But this call was actually from a hacker. The fraudster used a type of bot that drastically streamlines the process for hackers to trick victims into giving up their multi-factor authentication codes or one-time passwords (OTPs) for all sorts of services, letting them log in or authorize cash transfers. Various bots target Apple Pay, PayPal, Amazon, Coinbase, and a wide range of specific banks. Whereas fooling victims into handing over a login or verification code previously would often involve the hacker directly conversely with the victim, perhaps pretending to be the victim’s bank in a phone call, these increasingly traded bots dramatically lower the barrier of entry for bypassing multi-factor authentication.For example, in 2019 the Twitter CEO had his account hacked while using a 2FA method. Around the same time, over 23 million YouTube users utilizing 2FA were hacked because a reverse proxy toolkit was built to intercept 2FA SMS codes. Similarly, the Binance cryptocurrency exchange had their 2FA system compromised and lost tens of millions in the process. These hacks reinforce the risk of SIM-swaps for 2FA; hackers use various methods to change a victim's phone number so that subsequent messages or phone calls are redirected to a new phone. All in all, SMS and phone call-based 2FA systems have too many weaknesses to warrant its recommendation. Historically, other 2FA breaches have resulted from malware compromises. For example in 2020 an authenticator application in Android was discovered to be malware, stealing 2FA codes in the process. TrickBot malware is another example where one-time codes utilized by banking applications (sent via SMS/push notifications) have been intercepted. Finally, social engineering situations can emerge whereby hackers contact targets and pose as the bank or other service, requesting the security code that was just sent to "confirm their identity." == Anonymity Issues == Users risk possible de-anonymization if using the following applications on a non-torified device: * [https://authy.com/ Authy] requires an Internet connection. * [https://vip.symantec.com/ Symantec VIP] requires an Internet connection. * [https://safety.google/authentication/ Google Authenticator] did not use the Internet at the time of writing, but this might change with an (automatic) update. If anonymity is required, it is strongly recommended to only run 2FA software in non-networked or torified machines. = Practical 2FA Example = {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = A 2FA setup for Discourse and KeePassXC (an open-source password manager) is shown in the following example. 2FA implementations are possible for a wide range of other web services, SSH logins and more. }} {{Box|text= '''1.''' Navigate to Discourse preferences. [[File:2FA-discourse-prefernces.png|400px]] '''2.'''
Click on Security
→ Manage Two-Factor Authentication
[[File:2FA-discourse-security.png|400px]]
'''3.''' Enter your password
→ Click Continue
[[File:2FA-discourse-enterpassword.png|400px]]
'''4.''' Click on Add Authenticator
[[File:2FA-discourse-addauth.png|400px]]
'''5.''' Select Enter manually
→ Take a copy of the QR code
[[File:2FA-discourse-showcode.png|400px]]
'''6.''' Open KeePassXC
→ Right-click on the Discourse account
→ Select Time-based one-time password
→ Set up TOTP...
[[File:2FA-keepassxc.png|400px]]
'''7.''' Add the QR code in the empty Key field
→ Click OK
[[File:2FA-keepassxc-addkey.png|400px]]
'''8.''' Select Copy TOTP
; new keys are regenerated every 30 seconds.
[[File:2FA-keepassxc-copykey.png|400px]]
'''9.''' Add your username to My Authenticator
→ Add the generated TOTP to Code
→ Click Enable
[[File:2FA-discourse-addkey.png|400px]]
}}
Readers are welcome to add further practical examples of 2FA to this section.
= Debian Packages =
* [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-barada libpam-barada]: Pluggable authentication module (PAM) to provide two-factor authentication based on HMAC-Based One-time Password (HOTP).
* [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-google-authenticator libpam-google-authenticator]: The Google Authenticator project has implementations of one-time passcode generators for several mobile platforms, as well as a PAM. This supports both the HOTP and TOTP algorithms.
* [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-blue libpam-blue]: PAM module for local authentication with bluetooth devices.
* [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-oath libpam-oath]: Open AuTHentication (OATH) Toolkit libpam_oath PAM module. The OATH Toolkit has shared libraries, command line tools and a PAM module to enable easy building of one-time password authentication systems.
* [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-otpw libpam-otpw]: OTPW for PAM authentication. OTPW is a one-time password system which protects against the password list being stolen and last digit attacks.
* [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-p11 libpam-p11]: A PAM module for using PKCS#11 smart cards.
* [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-poldi libpam-poldi]: A PAM module allowing authentication using a OpenPGP smartcard. This PAM module allows logins, screenlock and service validation using a GnuPG smartcard.
* [https://packages.debian.org/{{Stable project version based on Debian codename}}/libpam-fprintd libpam-fprintd]: A PAM module for fingerprint authentication through fprintd.
See also:
* [https://wiki.debian.org/SecurityManagement/fingerprint%20authentication Debian wiki: Fingerprint authentication]
* YubiKey:
** [https://www.qubes-os.org/doc/yubikey/ Qubes wiki: YubiKey]
** The [https://github.com/QubesOS/qubes-app-yubikey Qubes' YubiKey package] for configuring YubiKey login support could be ported to Debian.
= See Also =
* {{whonix_wiki
|wikipage=Phone_Number_Validation
|text=Phone Number Validation vs User Privacy
}}
* [[Mobile Phone Security]]
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]