Registration/2FA/FAQ
Second Factor (2FA) FAQ
How does 2FA work?
2FA uses two out of multiple factors for authentication. Factors are:
- Something you know (password or PIN)
- Something you own (mobile phone or security device)
- Something you are (biometric features)
The principle idea is that even if an attacking party manages to get hold of one factor, it still has to acquire a second factor for a completely successful attack. Such a completely successful attack results in a theft of your identify, possibly leading to malicious acts committed on your behalf and to your disadvantage.
Why is 2FA necessary?
2FA is the current state-of-the-art method to prevent or mitigate cyber attacks. It is far superior to using a single shared secret (i.e. "password"), even if very strong passwords are used. 2FA mitigates fishing attempts, person-in-the-middle attacks and even cases where local computers (i.e. notebooks or workstations) have been stolen or compromised.
2FA is constantly replacing password-only authentication schemes in a networked world to improve cyber security and prevent identity theft.
Why is 2FA so resilient?
When computers become comprised, passwords and private keys can easily be recorded, copied and used for future attacks at any time from any place. Without a second factor, an attacking party cannot proceed autonomously without further involvement of the victim. As soon as a second factor is required, i.e. something you own or something you are, an attacking party lacks an element which it cannot provide or simulate. Furthermore, these second factors are securely contained in uncompromisable areas on the respective devices (e.g. phones or hardware security keys). For authentication, a challenge is issued that only the owner of the device can answer. The secret never leaves the secure area during this challenge.
I am using a password manager in conjunction with passwords that are individual per service, long and complex and thus impossible to guess. Isn't this good enough?
This is very good practice and in fact recommended for all systems that do not support 2FA yet. However, consider this: Your passwords need to be interpreted by the remote systems and are therefore available to the remote systems in clear text. If a remote system has been compromised, your password and thus your identity are compromised as well. And if an attacker has compromised your host, they can read or intercept the password, but not the second factor.
I am using SSH private keys and secure them with a passphrase. Isn't this good enough?
This is very good and in fact recommended for all systems reachable via SSH that do not support 2FA yet. However, consider this: Computers are vulnerable by remote attacks (a thoughtless wrong click can be sufficient) and local attacks (somebody manipulates your machine when left unattended).
In case you become the victim of a successful attack, your machine will be compromised and every action will be recorded and monitored without you knowing, possibly for a very long time.
2FA offers at least some mitigation in this case.
What happens if my local computer is compromised?
2FA does not prevent this from happening, but it offers mitigation. The services you use that are protected with 2FA are only partially compromised:
- An attacking party cannot use the compromised secret ("password") that it acquired from monitoring your local computer to gain remote access to the 2FA secured service. To initiate a remote session from the attacking parties' computers to the 2FA secured service, the second factor is required, which the attacking party does not have and cannot simulate, since it requires physical ownership of the respective security device.
- An attacking party cannot initiate a session from your compromised local computer to the remote computer without your active participation. The attacking party would have to present a second factor which requires a non-automatic action originating from the respective physical security device.
- ATTENTION: An attacking party can still monitor and possibly hijack connections from your compromised local computer to remote systems at the time these connections are actively initiated by you. However, exploitation is much more difficult than copying a simple shared password and needs to be adapted to the service which is attacked. For the attacking party, this bears at least a heightened risk of being discovered.
- Your passwords, passphrases and secret SSH keys are likely to have been compromised and therefore have to be exchanged after the attack becomes known to you. Your other factors have never left the external devices you keep them on and don't need to be changed. You have only answered cryptographic challenges with them, and these challenges and their corresponding answers cannot be predetermined by an attacker.
What happens if I loose my security hardware token?
An attacking party would need to combine a found or stolen second factor (e.g. phone or security key) with a software attack, i.e. infecting your local computer, to get hold of the secret you know (i.e. PIN or password) to access services secured by 2FA. Nevertheless, you should remove old or lost second factors and replace them with new ones.
What happens if I loose my phone?
Modern phones are protected by biometric measures. The biometric secrets are kept in a secure enclave on the device and cannot be extracted once registered. Neither an attacking party nor you nor the manufacturer can extract the secret data after the initial transfer. It is only ever used inside the secure area on the device to answer cryptographic challenges. In case you don't trust the manufacturers to keep your biometric data safe, you can use a PIN as an alternative. However, you still have to accept a certain level of trust towards the phone manufacturer. This is unavoidable unless you have the means to provide the complete chain of security yourself.
To avoid losing your access, some apps allow secure backups of your secondary factors, but to be safe you should register more than one second factor including backup TANs.
Whats happens if I loose all secondary factors?
There are recovery procedures which vary by service. A common method are recovery codes (backup TANs), which you can print out and deposit in a safe location. Recovery codes work like master keys, so they must never be kept on the same device which is used to access the 2FA protected service. If all else fails, most services will grant you access again after a thorough identity verification.