Menu
homeBrowsers

Authentication - what it is and why two-factor authentication is now widely used. Two-factor authentication (Yandex). How to disable two-factor authentication

To figure out what it is two-factor authentication and how it is usually implemented, you should find out what authentication is in general. To keep it simple, authentication is the process where a user proves that he is exactly who he said he is.

For example, when you log in to the system, you enter your username and your password and thereby prove that you know the secret key, which means you confirm that you are you and not a stranger. In this case, knowing the password is the so-called “authentication factor”.

But the password can be very simple, and an attacker can easily guess it, or it can simply be on a piece of paper under the keyboard (which, of course, is wrong). Entering the password will allow the attacker to prove to the system that he knows the password, and therefore has the right to use this system.

Therefore, in order to protect the system from such situations, it is customary to use two authentication factors simultaneously: for example, a password and a smart card. In this case, the second authentication factor will be the fact of possessing a smart card. The system will check your password and smart card, and if everything is correct, it will let you into the system.

Two-factor authentication and electronic digital signature

Quite often, two-factor authentication is used for electronic signatures. A digital signature on a document is usually similar to a handwritten signature on a paper document, so it is very important that your electronic signature cannot be put by attackers instead of you.

Most often, in order to secure your electronic signature, it is written (more precisely, an electronic signature certificate) onto a token. Token is a special device that is often used to store electronic signature certificates. Your electronic signature on the token is password protected, so even if it is stolen, attackers will not be able to use it. In this case, the first authentication factor will be the fact of owning the token, and the second will be knowledge of the password to access the electronic signature on the token.

To store electronic signature certificates, we recommend the following token models:

Two-factor authentication for login

Often, organizations store very important data on their computers, which may constitute a trade secret, which, of course, can be hunted by competitors and other attackers. And using regular passwords is not enough to guarantee the security of information.

In order to protect data on the computers of your employees, two authentication approaches are used:

  • protect the login process

As part of this approach, a software product is installed on the computer, which begins to require a token when logging in, and also ensures that the token is inserted at all times. If you remove the token, the computer will immediately lock.

This method is good to use where the premises are protected and no one can physically steal the computer or its hard drive.

  • protect all data on your computer

There is also a way to encrypt all data on a computer and, when the computer boots, require the user to enter a password and insert a token. If the password is incorrect or the token is incorrect, then the data simply will not be decrypted, and even if stolen, the attacker will not be able to use the information from the computer.

Hello, dear readers of the blog site. I would like to continue the topic of interpreting in simple words common terms that can be found everywhere in our computer age. A little earlier we already, as well as about and about.

Today we have a turn authentication. What does this word mean? Is this concept different from authorization or identification? What authentication methods are there, how secure are they, why can errors occur, and why is two-factor authentication better than one-factor authentication?

Interesting? Then let's continue, and I will try not to disappoint you.

What is authentication?

In fact, this is a procedure that is well known not only to us (modern residents), but also to our distant ancestors (almost from time immemorial).

To put it briefly, then authentication is the process of verifying authenticity(authenticity). And it doesn’t matter in what way (there are at least several types). The simplest example. You enter your apartment using the key to open the lock. And if the door does open, it means you have successfully passed authentication.

Let's break it down in this example:

  1. The key to the lock is your identifier (inserted and turned - you are identified). In the computer world, this is analogous to the fact that you told the system yours.
  2. The process of opening (key and lock matching) is authentication. In the computer world, this is analogous to going through the authentication stage (verifying the entered password).
  3. Opening the door and entering the apartment is already authorization (gaining access). Online is an entrance to a site, service, program or application.

As you probably already understood, two-factor authentication in this example will be answered by the presence of a second lock on the door (or the presence of a dog in the house, which will already carry out its own authentication based on biometric signs - smell, appearance, presence of treats in your pocket) .

One more example. Stamp on a document (in a passport, wax seal on old letters).

As you can see, everything is extremely simple. But today this term is most often understood as electronic authentication, i.e. the process of logging into websites, services, systems, programs, and even connecting to your home WiFi network. But in essence, there are few differences from the example given.

In the electronic version, you will also have an identifier (in the simplest case) and a password (analogous to a lock) necessary for authentication (login to the system, gaining access to the Internet, logging into an online service, etc.).

As I said above, there is several types of authenticators:

As you can see, there is no ideal. Therefore, so-called two-factor (two-step) authentication is often used to enhance security. Let's look at an example.

Two-factor (2FA - two-step) authentication

For example, in and other services related to access to money, two-factor authentication comes down to the following:


What does this give? Significantly improve security and reduce the risk of fraudsters authenticating for you. The fact is that intercepting a one-time password is much more difficult than finding out a multiple-use password. In addition, getting access to a mobile phone (and simply finding out its number) is much more difficult than digging through your computer or email.

But this is just one of examples of two-factor authentication (2FA). Let's take the bank cards already mentioned above. Here, too, two stages are used - authentication using the device (identification code on the card) and by entering a personal password (PIN code).

Another example from movies is when the access code is first entered, and then the retina or fingerprint is checked. In theory, you can do three stages, or four, or five. Everything is determined by the advisability of maintaining between heightened paranoia and a reasonable number of checks, which in some cases have to be done quite often.

In most cases, combining two factors is enough and does not cause very great inconvenience with frequent use.

Authentication errors

When using any of the types of authenticators mentioned above (passwords, devices, and biometrics), errors may occur. Where do they come from and how can they be avoided and resolved? Let's look at an example.

Let's say that you want to connect a computer or smartphone to the wireless network you have in your apartment. To do this, you will be required to enter the network name (identifier) ​​and access password (authenticator). If everything is entered correctly, you will be authorized and you will have access to the Internet from the connected device.

But sometimes you may display an authentication error message. What should you do in this case?

  1. Well, first of all, check that the data you are entering is correct. Often, when entering, the password is closed with asterisks, which makes it difficult to understand the cause of the error.
  2. Passwords with characters in different cases (with capital and small letters) are often used, which not everyone takes into account when typing.
  3. Sometimes the error may be caused by a two-factor authentication system that is not entirely obvious. For example, the router may have access blocking enabled. In this case, the system checks not only whether the username and password are entered correctly, but also whether the Mac address of the device (from which you are logging in) matches the list of allowed addresses. In this case, you will have to go into the router settings (via a browser from a computer connected via Lan) and add the address of this device in the wireless network security settings.

Biometric systems can also produce recognition errors due to their imperfections or due to changes in your biometric data (hoarseness, swelling, numb eyes, cut finger). The same can happen with apps used for two-factor authentication. It is for these cases that a system for obtaining access using backup codes. Essentially, these are one-time passwords that will need to be printed and stored in a desk drawer (safe).

If you cannot authenticate using the usual method (an error is displayed), then backup codes will allow you to log in. For the next login you will need to use a new backup code. But this lifesaver also has the other side of the coin - if these backup codes are stolen or enticed (as happened to me), then they will work as a master key (universal master key) and all protection will go to waste.

Good luck to you! See you soon on the pages of the blog site

You can watch more videos by going to
");">

You might be interested

Authentic - what is it, what does authenticity mean? Yandex Account - registration and how to use the service How to delete your page on Odnoklassniki
How to restore a page in Contact (if access is lost, deleted or blocked)
How to put a password on a folder (archive or otherwise password protect it in Windows) Why VK won’t load and the browser won’t log into VKontakte Identification - what is it and how is identity confirmed

Currently, one of the most discussed and highlighted topics in the field of ensuring maximum protection is two-factor protection. Due to the growing number of services and attacks on user accounts, we must take a closer look at what it is, how it works, and why it is worth using this type of protection.

What is two-factor protection?

Two-factor protection- identification method in any service, when requesting two different types of authentication. This two-layer protection will provide a more secure login and make it more difficult for third parties to intercept your data. In practice, it looks like this: the first step is your login and password; the second stage is a special code that comes to your mobile phone or email (special USB keys or biometric data are used less often). In simple words: in order to get somewhere, you need to confirm the fact that you are making an authorized login to the system. Do you know how a bank vault with individual safes works, where you have one key and the other goes to a bank employee? So here, one key is in your memory, the second comes to your phone or mail.

However, two-factor protection is not a panacea for hacking, but it will greatly complicate the task of attackers who want to gain access to your account; and will also eliminate the shortcomings of the classical protection system. The login method using a login and password causes the following paradox: the longer and more complex the password, the more difficult it is to guess, but at the same time more difficult to remember; and the simpler and more trivial the password, the easier it is to hack it; moreover, the overwhelming number of users set the same passwords for authentication in various services. Using two-factor protection, even if an attacker guesses, finds out, or steals your password, he will also have to steal your cell phone or gain access to your mailbox (which, by the way, can also be protected by a two-factor authentication method).

Although modern man, in trying to replace the entrenched password authentication system with something more interesting and reliable, because of its simplicity, he could not completely get rid of the paradigm familiar to everyone. And examining the different options, we must agree that in our time two-factor protection provides the highest level of protection. Another advantage is the fact that if you attempt an unauthorized login to the system, you will receive a notification, and if at that moment you were not going to log into your account, then it’s time to think about the reliability of your old password and the presence of malware on your personal computer.

Where and in what cases should two-step protection be enabled?

How many logins and passwords for various accounts and mailboxes are publicly available? How many candid, personal photographs of famous personalities have made it to public view? Even such a simple example shows how unreliable the method of one, permanent password is.

If the service you are using contains important, personal data and asks you to install two-layer degree of protection, then do it without hesitation. However, if this is some kind of file hosting service or forum, then I would hardly complicate everything. But regarding social networks, online banking, mailboxes or service services, then definitely yes. Have you noticed that leading banks even use a three-factor level of protection? Namely: a permanent password, a temporary password (on a cell phone), as well as a confirmation call. After all, such institutions suffer the most losses from illegal penetration of the service.

By the way, if you have your own website and the ability to enter two-factor degree of protection, then try to use it. After all, as was said earlier: if you value your account and its contents, then strengthening the protection will be a beneficial decision for everyone.

What types of two-step protection are there?

As mentioned earlier, self-respecting Internet resources and VPN networks use enhanced protection methods such as a code via SMS/call to a mobile phone, letters to the mail, USB keys, smart cards, calls. But besides them, there are also such methods as a code generator (a key fob with buttons and a small screen), SecurID technology and other specific methods that are used mainly by the corporate sectors. Older security methods are also relevant, such as TAN passwords (Transaction Authentication Number). Most likely, you have dealt with this method when, using Internet banking, you were given a piece of paper with pre-generated passwords (one-time passwords). By the way, even not the most progressive banks use two-factor protection. After all, to enter the service you use a card (first key) and a password that you have in your head (second key).

Let's look at authentication methods that are even more unusual for us. Scanning fingerprints, iris, there are even those that are guided by the “pattern” of the heartbeat. Although we do not encounter such methods in everyday life, they are still relevant and necessary in very serious institutions. Electromagnetic tattoos are even being tested, which, following the example of radio chips, can serve as an element two-factor protection. We hope that not a long period of time will pass from idea to implementation. Personally, I wouldn't mind doing this.

Apple ID two-factor authentication is a new security technology for your account, ensuring that only the owner can access it. Moreover, even if someone else knows the password characters for the account, he will still not be able to log in to the system instead of the legal owner of the ID.

The use of this technology provides access to your account exclusively from trusted devices - iPhone, tablet or MacBook. When logging in for the first time on a new gadget, you will need to specify two types of data - password characters and a verification code in a 6-digit format. Code symbols are automatically updated on these devices. After entering it, the new gadget will be considered trusted. Let’s say, if you have an iPhone, when you first log in to your account on a newly purchased MacBook, you will need to enter the password characters and a verification code, which will automatically pop up on the iPhone’s display.

Since password characters are not enough to access an account, other types of verification are also used, the security indicator of the ID number is significantly increased.

After logging in, the code will no longer be requested on this device until you log out and all information on the gadget is erased or the password characters need to be changed (also for security purposes). If you log in via the network, you can make the browser trusted and the next time you work with the same device you won’t need to enter the code.

Proven gadgets: what are they?

This cannot be any “Apple” device - only iPhones, iPads with Touch operating system version 9 or newer, as well as MacBooks with Capitan operating system or more recent ones. The systems of these gadgets must be logged in using 2-factor verification.

In short, this is a device about which Apple knows for sure who it belongs to, and through which you can verify your identity by showing a confirmation code when logging in from another gadget or browser.

Verified phone numbers

These are the ones that can be used to receive confirmation codes via text messages or calls. You must confirm at least one number to access 2-factor identification.

You can also confirm other numbers - home, or friend/relative. When there is temporarily no access to the main one, you can use them.

Setting rules

If the device has OS version 10.3 or older, the algorithm of actions will be as follows:

  • Go to the settings section, to the password and security item.
  • Click on the section to enable 2-factor identification.
  • Click on the continue option.

If the gadget has OS 10.2 or earlier, the steps will be as follows:

  • Go to iCloud settings.
  • Select your ID number and go to the security password section.
  • Click on the option to enable 2-factor authentication.
  • Clicking on the continuation element.



How to disable two-factor authentication in Apple ID?

Many people are wondering if this technology can be turned off. Of course yes. But remember that after switching off, the account will be weakly protected - only with password symbols and questions.

To disable it, you will need to log in to the edits item on your account page (in the security tab). Then click on the section to turn off two-factor identification. After asking new security questions and agreeing to the specified date of birth, the technology is deactivated.

If someone reactivates it for an ID without the knowledge of the rightful owner, it will be possible to disable it via e-mail. Next, as before, you need to click on the disable authentication section at the very bottom of the message that you received earlier by e-mail. The link will be active for another two weeks. Clicking on it will allow you to restore your previous ID security settings and control over your account.

It was a rare post on the Yandex blog, especially one related to security, without mentioning two-factor authentication. We have been thinking for a long time about how to properly strengthen the protection of user accounts, and in such a way that it can be used without all the inconveniences that include the most common implementations today. And they, alas, are inconvenient. According to some data, on many large sites the percentage of users who have enabled additional authentication means does not exceed 0.1%.

It seems that this is because the common two-factor authentication scheme is too complex and inconvenient. We tried to come up with a method that would be more convenient without losing the level of protection, and today we present its beta version.

We hope it becomes more widespread. For our part, we are ready to work on its improvement and subsequent standardization.

After enabling two-factor authentication in Passport, you will need to install the Yandex.Key application in the App Store or Google Play. QR codes have appeared in the authorization form on the Yandex main page, in Mail and Passport. To log into your account, you need to read the QR code through the application - and that’s it. If the QR code cannot be read, for example, the smartphone camera does not work or there is no access to the Internet, the application will create a one-time password that will be valid for only 30 seconds.

I'll tell you why we decided not to use such “standard” mechanisms as RFC 6238 or RFC 4226. How do common two-factor authentication schemes work? They are two-stage. The first stage is normal authentication with a login and password. If it is successful, the site checks whether it “likes” this user session or not. And, if you don’t like it, it asks the user to “re-authenticate.” There are two common methods of “pre-authentication”: sending an SMS to the phone number associated with the account and generating a second password on the smartphone. Basically, TOTP according to RFC 6238 is used to generate the second password. If the user entered the second password correctly, the session is considered fully authenticated, and if not, then the session loses the “pre-authentication” as well.

Both methods ─ sending SMS and generating a password ─ are proof of ownership of the phone and therefore are a factor of availability. The password entered at the first stage is the knowledge factor. Therefore, this authentication scheme is not only two-step, but also two-factor.

What seemed problematic to us in this scheme?

Let's start with the fact that the average user's computer cannot always be called a model of security: turning off Windows updates, a pirated copy of an antivirus without modern signatures, and software of dubious origin - all this does not increase the level of protection. According to our assessment, compromising a user’s computer is the most widespread method of “hijacking” accounts (and recently there was another confirmation of this), and this is what we want to protect ourselves from first of all. In the case of two-factor authentication, if you assume that the user's computer is compromised, entering a password on it compromises the password itself, which is the first factor. This means that the attacker only needs to select the second factor. In the case of common implementations of RFC 6238, the second factor is 6 decimal digits (and the maximum allowed by the specification is 8 digits). According to the bruteforce calculator for OTP, in three days an attacker is able to find the second factor if he somehow became aware of the first. It is not clear what the service can counteract this attack without disrupting the user's normal experience. The only possible proof of work is captcha, which, in our opinion, is the last resort.

The second problem is the opacity of the service’s judgment about the quality of the user session and making a decision on the need for “pre-authentication”. Even worse, the service is not interested in making this process transparent, because security by obscurity actually works here. If an attacker knows on what basis the service makes a decision about the legitimacy of a session, he can try to forge this data. As a general rule, we can conclude that the judgment is made based on the user's authentication history, taking into account the IP address (and its derivatives of the autonomous system number identifying the provider and the location based on the geobase) and browser data, for example, the User Agent header and a set of cookies, flash lso and html local storage. This means that if an attacker controls a user’s computer, he can not only steal all the necessary data, but also use the victim’s IP address. Moreover, if the decision is made based on ASN, then any authentication from public Wi-Fi in a coffee shop can lead to “poisoning” from a security point of view (and whitewashing from a service point of view) of the provider of this coffee shop and, for example, whitewashing all coffee shops in the city . We talked about how an anomaly detection system works, and it could be used, but the time between the first and second stages of authentication may not be enough to confidently judge an anomaly. Moreover, the same argument destroys the idea of ​​"trusted" computers: an attacker can steal any information that influences the trust judgment.

Finally, two-step authentication is simply inconvenient: our usability research shows that nothing irritates users more than an intermediary screen, additional button clicks and other “unimportant” actions from their point of view.
Based on this, we decided that authentication should be one-step and the password space should be much larger than is possible within the framework of “pure” RFC 6238.
At the same time, we wanted to preserve two-factor authentication as much as possible.

Multifactor authentication is defined by assigning authentication elements (actually, they are called factors) to one of three categories:

  1. Knowledge factors (these are traditional passwords, PIN codes and everything that looks like them);
  2. Ownership factors (in OTP schemes used, this is usually a smartphone, but can also be a hardware token);
  3. Biometric factors (fingerprint is the most common now, although someone will remember the episode with Wesley Snipes’ character in the film Demolition Man).

Development of our system

When we started working on the problem of two-factor authentication (the first pages of the corporate wiki on this issue date back to 2012, but it was discussed behind the scenes before), the first idea was to take standard authentication methods and apply them to us. We understood that we couldn’t count on millions of our users to buy a hardware token, so we postponed this option for some exotic cases (although we are not completely abandoning it, perhaps we will be able to come up with something interesting). The SMS method also could not be widespread: it is a very unreliable delivery method (at the most crucial moment, the SMS may be delayed or not arrive at all), and sending SMS costs money (and operators have begun to increase their price). We decided that the use of SMS is for banks and other low-tech companies, and we want to offer our users something more convenient. In general, the choice was small: use the smartphone and the program in it as the second factor.

This form of one-step authentication is widespread: the user remembers the PIN code (the first factor), and has a hardware or software (in a smartphone) token that generates an OTP (the second factor). In the password entry field, he enters the PIN code and the current OTP value.

In our opinion, the main disadvantage of this scheme is the same as that of two-step authentication: if we assume that the user’s desktop is compromised, then entering the PIN code once will lead to its disclosure and the attacker can only find the second factor.

We decided to go a different route: the entire password is generated from the secret, but only part of the secret is stored in the smartphone, and part is entered by the user each time the password is generated. Thus, the smartphone itself is a factor of ownership, and the password remains in the user’s head and is a factor of knowledge.

The Nonce can be either a counter or the current time. We decided to choose the current time, this allows us not to be afraid of desynchronization in case someone generates too many passwords and increases the counter.

So, we have a program for a smartphone where the user enters his part of the secret, it is mixed with the stored part, the result is used as an HMAC key, which is used to sign the current time, rounded to 30 seconds. The HMAC output is converted to readable form, and voila ─ here is the one-time password!

As stated earlier, RFC 4226 specifies that the HMAC result be truncated to a maximum of 8 decimal digits. We decided that a password of this size is not suitable for one-step authentication and should be increased. At the same time, we wanted to maintain ease of use (after all, remember, we want to make a system that will be used by ordinary people, and not just security geeks), so as a compromise in the current version of the system, we chose to truncate the Latin alphabet to 8 characters. It seems that 26^8 passwords valid for 30 seconds are quite acceptable, but if the security margin does not suit us (or valuable tips on how to improve this scheme appear on Habré), we will expand, for example, to 10 characters.

Learn more about the strength of such passwords

In fact, for case-insensitive Latin letters, the number of options per character is 26; for large and small Latin letters plus numbers, the number of options is 26+26+10=62. Then log 62 (26 10) ≈ 7.9, that is, a password of 10 random small Latin letters is almost as strong as a password of 8 random large and small Latin letters or numbers. This will definitely be enough for 30 seconds. If we talk about an 8-character password made of Latin letters, then its strength is log 62 (26 8) ≈ 6.3, that is, a little more than a 6-character password made of uppercase, lowercase letters and numbers. We think this is still acceptable for a 30 second window.

Magic, passwordlessness, applications and next steps

In general, we could have stopped there, but we wanted to make the system even more convenient. When a person has a smartphone in his hand, he doesn’t want to enter the password from the keyboard!

That's why we started working on the “magic login”. With this authentication method, the user launches the application on their smartphone, enters their PIN code into it and scans the QR code on their computer screen. If the PIN code is entered correctly, the page in the browser is reloaded and the user is authenticated. Magic!

How does it work?

The session number is embedded in the QR code, and when the application scans it, this number is transmitted to the server along with the password and username generated in the usual way. This is not difficult, because the smartphone is almost always online. In the layout of the page showing the QR code, JavaScript is running, waiting for a response from the server to check the password for this session. If the server responds that the password is correct, session cookies are set along with the response and the user is considered authenticated.

It got better, but we decided not to stop here either. Starting with the iPhone 5S, Apple phones and tablets introduced the TouchID fingerprint scanner, and in iOS version 8, third-party applications can also use it. In reality, the application does not gain access to the fingerprint, but if the fingerprint is correct, then the additional Keychain section becomes available to the application. We took advantage of this. The second part of the secret is placed in the TouchID-protected Keychain record, the one that the user entered from the keyboard in the previous scenario. When unlocking the Keychain, the two parts of the secret are mixed, and then the process works as described above.

But it has become incredibly convenient for the user: he opens the application, places his finger, scans the QR code on the screen and finds himself authenticated in the browser on his computer! So we replaced the knowledge factor with a biometric one and, from the user’s point of view, completely abandoned passwords. We are sure that ordinary people will find this scheme much more convenient than manually entering two passwords.

It's debatable how technically two-factor authentication this is, but in reality you still need to have a phone and have the correct fingerprint to successfully complete it, so we believe that we have been quite successful in eliminating the knowledge factor, replacing it with biometrics. We understand that we rely on the security of the ARM TrustZone that underlies iOS Secure Enclave, and we believe that this subsystem can currently be considered trusted within our threat model. Of course, we are aware of the problems with biometric authentication: a fingerprint is not a password and cannot be replaced if compromised. But, on the other hand, everyone knows that security is inversely proportional to convenience, and the user himself has the right to choose the ratio of one and the other that is acceptable to him.

Let me remind you that this is still a beta. Now, when two-factor authentication is enabled, we temporarily disable password synchronization in Yandex Browser. This is due to the way the password database is encrypted. We are already coming up with a convenient way to authenticate the Browser in the case of 2FA. All other Yandex functionality works as before.

This is what we got. It seems to have turned out well, but you be the judge. We will be glad to hear your feedback and recommendations, and we will continue to work on improving the security of our services: now, along with CSP, encryption of mail transport and everything else, we now have two-factor authentication. Do not forget that authentication services and OTP generation applications are critical and therefore a double bonus is paid for errors found in them as part of the Bug Bounty program.

Tags: Add tags