Menu
homeConnection

Apple two-factor authentication: features, principle of protection, disabling. Two-factor authentication that's easy to use

In other words, two-factor authentication is the second key to your account. If you activate this option, for example, in Evernote (there is such an option), then an attacker who managed to guess the password for this notes service will face another problem - the requirement to specify a one-time code that is sent to your phone number. It is worth noting that if an attempt is made to hack your account, you will receive an SMS and you will be able to instantly change your password.

Agree that this is a very convenient option, using which you will worry less about the loss of personal information.

Where is the best place to use it?

Of course, some users may object, arguing that two-step authentication is too much “unnecessary steps”, and in general, it is intended for paranoid people who always think that someone is watching them.

Perhaps they are right in some ways. For example, for social networks it is not at all necessary to use this method of protection. Although here one can argue. As a rule, attackers try to hack the accounts of administrators of popular “publics.” And you, most likely, would also not want to one day notice that your account in one of the “social networks” was hacked and completely indecent photos were posted on the “Wall”.

As for other services, for example, Yandex two-factor authentication will allow you to safely store your registration data from payment systems (PayPal, WebMoney and others) or letters containing secret information.

Google Account Protection

One of the most popular services today is Google. This is where you can register an email account, store documents on Google Drive, create a blog or channel on YouTube for free, which can later bring you profit.

In order for users to be confident in the safety of documents stored on mail or disk, they are offered two-factor authentication by Google. To activate it, you must log into your account.

Now, having opened, for example, your mailbox, pay attention to the avatar in the upper right corner. Click on it and go to “My Account”. Here you need the “Security and Login” section, namely the “Sign in to Google Account” link.

On the right you will see the “Two-Step Verification” option, where you need to click the arrow to activate it. A window will open in which you are interested in the “Proceed with setup” button. Enter your password and follow further instructions.

Two-factor authentication "Yandex"

Yandex also offers its users quite a lot of useful services. In addition to cloud storage of information on Yandex.Disk, you can get yourself an electronic wallet where you will withdraw the money you earn on the Internet.

And, of course, Yandex did not stand aside and also offers its users to use two-factor authentication to protect documents stored in the mailbox.

To enable it, you will need to follow a few simple steps. Log in to your account and click LMB on your profile photo (top right corner). Select "Passport" from the drop-down menu. A window will open in which you need to click on the “Access Control” link. Set the “slider” to the “ON” position. You will be redirected to a page where you need to click on the “Start setup” button. Now go through the 4 steps to activate two-factor protection.

Social network VKontakte"

As mentioned above, attackers usually try to gain access to the accounts of “admins” of popular groups. But this is not always the case, because simply the personal correspondence of some person well-known on the Internet may be of interest.

It is worth noting that for some users, this method of protecting an account begins to cause irritation over time, since it requires constant entry of a secret code, in addition to the login and password. In such cases, you need to know how to disable two-factor authentication. However, first we will deal with activating this option.

In fact, enabling two-step verification is very simple. Select "My Settings" and then go to the "Security" tab. In the “Login Confirmation” section, click on the “Connect” button. Now follow all the requirements one by one.

Disable two-factor authentication

In order to deactivate two-step protection in Yandex, you will need to go back to your “Passport” by clicking on your avatar. After that, open the “Access Control” section and set the slider to the “Off” position.

Conclusion

Now you know what two-loop authentication is and why it is needed. When using a particular service, you can activate this additional protection or refuse this feature.

Of course, in some cases it is highly recommended to enable two-step verification. For example, when registering on WebMoney, you indicated your email from Yandex. While working on the Internet, you can become a victim of hackers who will hack your mailbox and gain access to your electronic wallet. To prevent this from happening, it is better to set a strong password and link your e-mail to your phone. This way you can react quickly if they try to hack you.

Two-factor authentication provides an increased level of security compared to a traditional password. Even a complex and effective password can be vulnerable to viruses, keyloggers and phishing attacks.

You can enable two-factor authentication on the Yandex account management page. To set up Yandex.Key access, you will need an Android or iOS mobile device.

After enabling two-factor authentication:

  • Instead of using a standard password to access Yandex services and applications, you will need to enter a one-time password (for example, to log into your account or change your phone number). When using a QR code, you do not have to enter your login or passwords to log into your Yandex account.
  • For third-party mobile applications, computer programs, and email clients, you will need to use separate application passwords.
  • The recovery page for your Yandex account will be changed.

To enable two-factor authentication, click on the “Set up two-factor authentication” link on the “Personal Information” page in the “Access Management” section and follow several steps:

If your phone number is already linked to your account, confirm or change it. If the phone number is not specified, you need to add it, otherwise you will not be able to restore access to your account.

To link a new number or verify a phone number, request a code and then enter it in the appropriate field. Then click the “Confirm” button and go to the next step.

2. Create a PIN.

Create a 4-digit PIN and enter it for two-factor authentication.

Important: You must not share your PIN with others. The PIN cannot be changed. If you forget your PIN code, the Yandex.Key application will not be able to generate a one-time password; you can only restore access to your account with the help of a technical support specialist.

After entering the PIN code, click the “Create” button.

The Yandex.Key application is required to generate one-time passwords for your account. You can send a link to install the app directly on the two-factor authentication setup screen, or you can download the app from the App Store or Google Play.

Note: for Yandex.Key to work, you may need access to the device's camera to recognize barcodes (QR codes).

In the Yandex.Key application, click the “Add account to the application” button. Then the device camera will launch. Scan the barcode that appears in your browser.

If the QR code cannot be recognized, click the “Show secret key” button and click “Add a key manually” in the application. Instead of a QR code, the browser will display a sequence of characters that must be entered into the application.

After recognizing the account, the device will ask you to enter the PIN code created in the previous step.

To verify that the setup was successful, enter the one-time password generated in the previous step. Two-factor authentication will only be enabled if you enter the correct password.

Simply enter the PIN code created in step 2 into the Yandex.Key application. The application will generate a one-time password. Enter it next to the “Enable” button, and then click the button.

Note: You need to enter the OTP before it changes on the screen. Sometimes it's better to wait until a new password is created and enter it.

If you entered the correct password, two-factor authentication will be enabled for your Yandex.Passport account.

How to disable two-factor authentication in Yandex

  1. Go to the “Access Management” tab in your Yandex.Passport account.
  2. Move the switch to the “Off” position.
  3. A page will open on which you need to enter a one-time password from the Yandex.Key application.
  4. If the password is entered correctly, the user will be prompted to set a new primary password for the account.

Note: Once you disable two-factor authentication, your old app passwords will no longer work. You will need to create new application passwords to restore functionality of related services and applications, such as email clients.

The user can configure access of third-party applications to the Yandex account using application passwords. Please note that each individual application password grants access to a specific service. For example, a password created for an email client will not allow access to the Yandex.Disk cloud storage.

You can create application passwords on the “Access Management” tab in the Yandex.Passport account control panel. Slide the “App Passwords” switch to the “On” position. If two-factor authentication is enabled, application passwords will be enforced and cannot be disabled.

You will need to create a separate application password for each third-party program that asks for a Yandex password, including:

  • Mail clients (Mozilla Thunderbird, Microsoft Outlook, The Bat!, etc.)
  • WebDAV clients for Yandex.Disk
  • CalDAV clients for Yandex.Calendar
  • Jabber clients
  • Applications for importing from other email services

To create an application password:

  1. Go to the “Access Management” tab in the Yandex.Passport account control panel.
  2. Enable the “App Passwords” option if it is disabled (the toggle will not appear if you have not enabled two-factor authentication).
  3. Click "Get app password"
  4. Select the Yandex service that you want to access in the application and the operating system.
  5. Enter the name of the application for which you are creating a password and click "Add".
  6. The password will be shown on the next tab. Click "Done".

Note: you can view the generated password only once. If you entered the password incorrectly and have already closed the window, delete the current password and create a new one.

It was a rare post on the Yandex blog, especially one related to security, without mentioning two-factor authentication. We have been thinking for a long time about how to properly strengthen the protection of user accounts, and in such a way that it can be used without all the inconveniences that include the most common implementations today. And they, alas, are inconvenient. According to some data, on many large sites the percentage of users who have enabled additional authentication means does not exceed 0.1%.

It seems that this is because the common two-factor authentication scheme is too complex and inconvenient. We tried to come up with a method that would be more convenient without losing the level of protection, and today we present its beta version.

We hope it becomes more widespread. For our part, we are ready to work on its improvement and subsequent standardization.

After enabling two-factor authentication in Passport, you will need to install the Yandex.Key application in the App Store or Google Play. QR codes have appeared in the authorization form on the Yandex main page, in Mail and in Passport. To log into your account, you need to read the QR code through the application - and that’s it. If the QR code cannot be read, for example, the smartphone camera does not work or there is no access to the Internet, the application will create a one-time password that will be valid for only 30 seconds.

I'll tell you why we decided not to use such “standard” mechanisms as RFC 6238 or RFC 4226. How do common two-factor authentication schemes work? They are two-stage. The first stage is normal authentication with a login and password. If it is successful, the site checks whether it “likes” this user session or not. And, if you don’t like it, it asks the user to “re-authenticate.” There are two common methods of “pre-authentication”: sending an SMS to the phone number associated with the account and generating a second password on the smartphone. Basically, TOTP according to RFC 6238 is used to generate the second password. If the user entered the second password correctly, the session is considered fully authenticated, and if not, then the session loses the “pre-authentication” as well.

Both methods ─ sending SMS and generating a password ─ are proof of ownership of the phone and therefore are a factor of availability. The password entered at the first stage is the knowledge factor. Therefore, this authentication scheme is not only two-step, but also two-factor.

What seemed problematic to us about this scheme?

Let's start with the fact that the average user's computer cannot always be called a model of security: turning off Windows updates, a pirated copy of an antivirus without modern signatures, and software of dubious origin - all this does not increase the level of protection. According to our assessment, compromising a user’s computer is the most widespread method of “hijacking” accounts (and recently there was another confirmation of this), and this is what we want to protect ourselves from first of all. In the case of two-factor authentication, if you assume that the user's computer is compromised, entering a password on it compromises the password itself, which is the first factor. This means that the attacker only needs to select the second factor. In the case of common implementations of RFC 6238, the second factor is 6 decimal digits (and the maximum allowed by the specification is 8 digits). According to the bruteforce calculator for OTP, in three days an attacker is able to find the second factor if he somehow became aware of the first. It is not clear what the service can counteract this attack without disrupting the normal user experience. The only possible proof of work is captcha, which, in our opinion, is the last resort.

The second problem is the opacity of the service’s judgment about the quality of the user session and making a decision on the need for “pre-authentication”. Even worse, the service is not interested in making this process transparent, because security by obscurity actually works here. If an attacker knows on what basis the service makes a decision about the legitimacy of a session, he can try to forge this data. As a general rule, we can conclude that the judgment is made based on the user's authentication history, taking into account the IP address (and its derivatives of the autonomous system number identifying the provider and the location based on the geobase) and browser data, for example, the User Agent header and a set of cookies, flash lso and html local storage. This means that if an attacker controls a user’s computer, he can not only steal all the necessary data, but also use the victim’s IP address. Moreover, if the decision is made based on ASN, then any authentication from public Wi-Fi in a coffee shop can lead to “poisoning” from a security point of view (and whitewashing from a service point of view) of the provider of this coffee shop and, for example, whitewashing all coffee shops in the city . We talked about how an anomaly detection system works, and it could be used, but the time between the first and second stages of authentication may not be enough to confidently judge an anomaly. Moreover, the same argument destroys the idea of ​​"trusted" computers: an attacker can steal any information that influences the trust judgment.

Finally, two-step authentication is simply inconvenient: our usability research shows that nothing irritates users more than an intermediary screen, additional button clicks and other “unimportant” actions from their point of view.
Based on this, we decided that authentication should be one-step and the password space should be much larger than is possible within the framework of “pure” RFC 6238.
At the same time, we wanted to preserve two-factor authentication as much as possible.

Multifactor authentication is defined by assigning authentication elements (actually, they are called factors) to one of three categories:

  1. Knowledge factors (these are traditional passwords, PIN codes and everything that looks like them);
  2. Ownership factors (in OTP schemes used, this is usually a smartphone, but can also be a hardware token);
  3. Biometric factors (fingerprint is the most common now, although someone will remember the episode with Wesley Snipes’ character in the film Demolition Man).

Development of our system

When we started working on the problem of two-factor authentication (the first pages of the corporate wiki on this issue date back to 2012, but it was discussed behind the scenes before), the first idea was to take standard authentication methods and apply them to us. We understood that we couldn’t count on millions of our users to buy a hardware token, so we postponed this option for some exotic cases (although we are not completely abandoning it, perhaps we will be able to come up with something interesting). The SMS method also could not be widespread: it is a very unreliable delivery method (at the most crucial moment, the SMS may be delayed or not arrive at all), and sending SMS costs money (and operators have begun to increase their price). We decided that the use of SMS is for banks and other low-tech companies, and we want to offer our users something more convenient. In general, the choice was small: use the smartphone and the program in it as the second factor.

This form of one-step authentication is widespread: the user remembers the PIN code (the first factor), and has a hardware or software (in a smartphone) token that generates an OTP (the second factor). In the password entry field, he enters the PIN code and the current OTP value.

In our opinion, the main disadvantage of this scheme is the same as that of two-step authentication: if we assume that the user’s desktop is compromised, then entering the PIN code once will lead to its disclosure and the attacker can only find the second factor.

We decided to go a different route: the entire password is generated from the secret, but only part of the secret is stored in the smartphone, and part is entered by the user each time the password is generated. Thus, the smartphone itself is a factor of ownership, and the password remains in the user’s head and is a factor of knowledge.

The Nonce can be either a counter or the current time. We decided to choose the current time, this allows us not to be afraid of desynchronization in case someone generates too many passwords and increases the counter.

So, we have a program for a smartphone where the user enters his part of the secret, it is mixed with the stored part, the result is used as an HMAC key, which is used to sign the current time, rounded to 30 seconds. The HMAC output is converted to readable form, and voila ─ here is the one-time password!

As stated earlier, RFC 4226 specifies that the HMAC result be truncated to a maximum of 8 decimal digits. We decided that a password of this size is not suitable for one-step authentication and should be increased. At the same time, we wanted to maintain ease of use (after all, remember, we want to make a system that will be used by ordinary people, and not just security geeks), so as a compromise in the current version of the system, we chose to truncate the Latin alphabet to 8 characters. It seems that 26^8 passwords valid for 30 seconds are quite acceptable, but if the security margin does not suit us (or valuable tips on how to improve this scheme appear on Habré), we will expand, for example, to 10 characters.

Learn more about the strength of such passwords

In fact, for case-insensitive Latin letters, the number of options per character is 26; for large and small Latin letters plus numbers, the number of options is 26+26+10=62. Then log 62 (26 10) ≈ 7.9, that is, a password of 10 random small Latin letters is almost as strong as a password of 8 random large and small Latin letters or numbers. This will definitely be enough for 30 seconds. If we talk about an 8-character password made of Latin letters, then its strength is log 62 (26 8) ≈ 6.3, that is, a little more than a 6-character password made of uppercase, lowercase letters and numbers. We think this is still acceptable for a 30 second window.

Magic, passwordlessness, applications and next steps

In general, we could have stopped there, but we wanted to make the system even more convenient. When a person has a smartphone in his hand, he doesn’t want to enter the password from the keyboard!

That's why we started working on the “magic login”. With this authentication method, the user launches the application on his smartphone, enters his PIN code into it and scans the QR code on his computer screen. If the PIN code is entered correctly, the page in the browser is reloaded and the user is authenticated. Magic!

How does it work?

The session number is embedded in the QR code, and when the application scans it, this number is transmitted to the server along with the password and username generated in the usual way. This is not difficult, because the smartphone is almost always online. In the layout of the page showing the QR code, JavaScript is running, waiting for a response from the server to check the password for this session. If the server responds that the password is correct, session cookies are set along with the response and the user is considered authenticated.

It got better, but we decided not to stop here either. Starting with the iPhone 5S, Apple phones and tablets introduced the TouchID fingerprint scanner, and in iOS version 8, third-party applications can also use it. In reality, the application does not gain access to the fingerprint, but if the fingerprint is correct, then the additional Keychain section becomes available to the application. We took advantage of this. The second part of the secret is placed in the TouchID-protected Keychain record, the one that the user entered from the keyboard in the previous scenario. When unlocking the Keychain, the two parts of the secret are mixed, and then the process works as described above.

But it has become incredibly convenient for the user: he opens the application, places his finger, scans the QR code on the screen and finds himself authenticated in the browser on his computer! So we replaced the knowledge factor with a biometric one and, from the user’s point of view, completely abandoned passwords. We are sure that ordinary people will find this scheme much more convenient than manually entering two passwords.

It's debatable how formally two-factor authentication is, but in reality you still need to have a phone and have the correct fingerprint to successfully complete it, so we believe that we have been quite successful in eliminating the knowledge factor and replacing it with biometrics. We understand that we rely on the security of the ARM TrustZone that underlies iOS Secure Enclave, and we believe that this subsystem can currently be considered trusted within our threat model. Of course, we are aware of the problems with biometric authentication: a fingerprint is not a password and cannot be replaced if compromised. But, on the other hand, everyone knows that security is inversely proportional to convenience, and the user himself has the right to choose the ratio of one and the other that is acceptable to him.

Let me remind you that this is still a beta. Now, when two-factor authentication is enabled, we temporarily disable password synchronization in Yandex Browser. This is due to the way the password database is encrypted. We are already coming up with a convenient way to authenticate the Browser in the case of 2FA. All other Yandex functionality works as before.

This is what we got. It seems to have turned out well, but you be the judge. We will be glad to hear your feedback and recommendations, and we will continue to work on improving the security of our services: now, along with CSP, encryption of mail transport and everything else, we now have two-factor authentication. Do not forget that authentication services and OTP generation applications are critical and therefore a double bonus is paid for errors found in them as part of the Bug Bounty program.

Tags: Add tags

Two-step account verification allows you to protect your account from hacking by an attacker. This function is being implemented by companies that care about user safety. Let's take a closer look at how to enable and disable two-factor authentication in Apple ID.

How does it work

If two-step verification is enabled on your account, your profile can only be used on trusted devices. If you try to log into Apple ID on a new gadget, you will have to enter a password and a 16-digit code that will be displayed on the trusted device.

Note! After logging in, the new device will automatically become verified.


Important points to remember:
  • Be sure to remember your account information.

    Important! To restore it, you need to contact Apple and prove the legal purchase of the device from official representatives of the company.

  • Provide (physical) security to verified devices.
  • Use lock passwords on all gadgets.

Enable two-factor authentication

You can activate the function through the smartphone system settings.

Note! For the example, we used an iPhone with iOS 11. If you have version 10.2 or earlier, then the setup is performed through the iCloud item.

Disabling the feature

Disabling two-step verification occurs through the browser.

Note! Answering security questions may be required to verify your identity.


conclusions

Double verification allows you to protect your device from hacking by intruders. When using the function, do not forget about some safety rules. Setting up or disabling authentication does not take much time.

Attention. Applications developed in Yandex require a one-time password - even correctly created application passwords will not work.

  1. Login using QR code
  2. Transfer of Yandex.Key
  3. Master password

Login to a Yandex service or application

You can enter a one-time password in any form of authorization on Yandex or in applications developed by Yandex.

Note.

You must enter the one-time password while it is displayed in the application. If there is too little time left before the update, just wait for the new password.

To get a one-time password, launch Yandex.Key and enter the PIN code that you specified when setting up two-factor authentication. The application will start generating passwords every 30 seconds.

Yandex.Key does not check the PIN code you entered and generates one-time passwords, even if you entered your PIN code incorrectly. In this case, the created passwords also turn out to be incorrect and you will not be able to log in with them. To enter the correct PIN, just exit the application and launch it again.

Features of one-time passwords:

Login using QR code

Some services (for example, the Yandex home page, Passport and Mail) allow you to log into Yandex by simply pointing the camera at the QR code. In this case, your mobile device must be connected to the Internet so that Yandex.Key can contact the authorization server.

    Click on the QR code icon in your browser.

    If there is no such icon in the login form, then you can only log in to this service using a password. In this case, you can log in using the QR code in the Passport, and then go to the desired service.

    Enter your PIN code in Yandex.Key and click Login using QR code.

    Point your device's camera at the QR code displayed in the browser.

Yandex.Key will recognize the QR code and send your login and one-time password to Yandex.Passport. If they pass the verification, you are automatically logged in to the browser. If the transmitted password is incorrect (for example, because you entered the PIN code incorrectly in Yandex.Key), the browser will display a standard message about the incorrect password.

Logging in with a Yandex account to a third-party application or website

Applications or sites that need access to your data on Yandex sometimes require you to enter a password to log into your account. In such cases, one-time passwords will not work - you need to create a separate application password for each such application.

Attention. Only one-time passwords work in Yandex applications and services. Even if you create an application password, for example, for Yandex.Disk, you will not be able to log in with it.

Transfer of Yandex.Key

You can transfer the generation of one-time passwords to another device, or configure Yandex.Key on several devices at the same time. To do this, open the Access Control page and click the button Replacing the device.

Several accounts in Yandex.Key

The same Yandex.Key can be used for several accounts with one-time passwords. To add another account to the application, when setting up one-time passwords in step 3, click the icon in the application. In addition, you can add password generation to Yandex.Key for other services that support such two-factor authentication. Instructions for the most popular services are provided on the page about creating verification codes not for Yandex.

To remove an account link to Yandex.Key, press and hold the corresponding portrait in the application until a cross appears to the right of it. When you click on the cross, the account linking to Yandex.Key will be deleted.

Attention. If you delete an account for which one-time passwords are enabled, you will not be able to obtain a one-time password to log into Yandex. In this case, it will be necessary to restore access.

Fingerprint instead of PIN code

You can use your fingerprint instead of a PIN code on the following devices:

    smartphones running Android 6.0 and a fingerprint scanner;

    iPhone starting from model 5s;

    iPad starting with Air 2.

Note.

On iOS smartphones and tablets, the fingerprint can be bypassed by entering the device password. To protect against this, enable a master password or change the password to a more complex one: open the Settings app and select Touch ID & Passcode.

To use enable fingerprint verification:

Master password

To further protect your one-time passwords, create a master password: → Master Password.

With a master password you can:

    make it so that instead of a fingerprint, you can only enter the Yandex.Key master password, and not the device lock code;

Backup copy of Yandex.Key data

You can create a backup copy of the Key data on the Yandex server so that you can restore it if you lose your phone or tablet with the application. The data of all accounts added to the Key at the time the copy was created is copied to the server. You cannot create more than one backup copy; each subsequent copy of data for a specific phone number replaces the previous one.

To retrieve data from a backup, you need to:

    have access to the phone number that you specified when creating it;

    Remember the password you set to encrypt the backup.

Attention. The backup copy contains only the logins and secrets necessary to generate one-time passwords. You must remember the PIN code that you set when you enabled one-time passwords on Yandex.

It is not yet possible to delete a backup copy from the Yandex server. It will be deleted automatically if you do not use it within a year after creation.

Creating a Backup

    Select an item Create a backup in the application settings.

    Enter the phone number to which the backup will be linked (for example, "380123456789") and click Next.

    Yandex will send a confirmation code to the entered phone number. Once you receive the code, enter it in the application.

    Create a password that will encrypt the backup copy of your data. This password cannot be recovered, so make sure you don't forget or lose it.

    Enter the password you created twice and click Finish. Yandex.Key will encrypt the backup copy, send it to the Yandex server and report it.

Restoring from a backup

    Select an item Restore from backup in the application settings.

    Enter the phone number you used when creating the backup (for example, "380123456789") and click Next.

    If a backup copy of the Key data is found for the specified number, Yandex will send a confirmation code to this phone number. Once you receive the code, enter it in the application.

    Make sure the date and time the backup was created, as well as the device name, matches the backup you want to use. Then click the Restore button.

    Enter the password you set when creating the backup. If you don't remember it, unfortunately, it will be impossible to decrypt the backup.

    Yandex.Key will decrypt the backup data and notify you that the data has been restored.

How one-time passwords depend on precise time

When generating one-time passwords, Yandex.Key takes into account the current time and time zone set on the device. When an Internet connection is available, the Key also requests the exact time from the server: if the time on the device is set incorrectly, the application will make an adjustment for this. But in some situations, even after correction and with the correct PIN code, the one-time password will be incorrect.

If you are sure that you are entering your PIN code and password correctly, but you cannot log in:

    Make sure your device is set to the correct time and time zone. After that, try logging in with a new one-time password.

    Connect your device to the Internet so that Yandex.Key can get the exact time on its own. Then restart the application and try entering a new one-time password.

If the problem is not resolved, please contact support using the form below.

Leave feedback about two-factor authentication