Tugas IF5141

Manajemen Keamanan Informasi

Tugas 2 – Two factor Authentication for Mobile and Web App

Tanggal Pengumpulan: 8 Mei 2018

Oleh:

Kurnia Ramadhan Putra 23516001

Fernando Simangunsong 23516301

Chernet Gebayew 23517701

MAGISTER INFORMATIKA
SEKOLAH TEKNIK ELEKTRO DAN INFORMATIKA
INSTITUT TEKNOLOGI BANDUNG
2018
 CONTENTS

I. Introduction .......................................................................................................................................... 3
II. Types of Two Factor Authentication.................................................................................................... 4
II.1 SMS Token........................................................................................................................................... 4
II.2 Email Token ......................................................................................................................................... 5
II.3 Hardware Token.................................................................................................................................. 6
II.4 Software Token ................................................................................................................................... 6
II. 5 Phone Call........................................................................................................................................... 7
II.6 Biometric Verification ......................................................................................................................... 8
III. Purpose, Needs, and Motivations for Two-factor Authentication ................................................. 8
III.1 Security .............................................................................................................................................. 8
III.2 Compliance ........................................................................................................................................ 9
III.3 Usability ............................................................................................................................................. 9
IV. Advantages of two-factor authentication ....................................................................................... 9
IV.1 Improve Security ................................................................................................................................ 9
IV.2 Achieve Compliance........................................................................................................................... 9
IV.3 Increase Flexibility and Productivity ................................................................................................ 10
V. Disadvantages of two-factor authentication .................................................................................... 10
V.1 Factors can get lost ........................................................................................................................... 10
V.2 False security .................................................................................................................................... 10
V.3 It can be turned against users .......................................................................................................... 11
VI. Time-based variant of the OTP algorithm ..................................................................................... 11
Reference .................................................................................................................................................... 12

Halaman 2 dari 12
 I. Introduction
Two-Factor Authentication (2FA) is a two-step verification process that aims to provide an
additional layer of security by requiring the user to authenticate him/her using a secondary means
(ownership factor or inheritance factor). Without the use of 2FA, an attacker could gain access to
a person’s devices or accounts solely by knowing the victim’s password, while with 2FA
knowing only this password is insufficient to pass the authentication check [1].

Two Factor Authentication (2FA or TFA) is the technical term for the process of requiring a
user to verify their identity in two unique ways before they are granted access to the system.
Traditionally, users have relied on and are accustomed to authentication systems that require
them to provide a unique identifier such as an email address, username or phone number and a
correct password or pin to gain access to the system. 2FA extends this paradigm by adding an
additional step to the authentication process, most commonly requiring the user to enter a one-
time token that is dynamically generated and delivered through a method that only the user has
access to. Another common method is to use the user’s biometric data such as fingerprints or
retina as a second factor. It gives the user and system administrator a peace of mind as it ensures
that even if the users password is compromised the account cannot be accessed without also
knowing not only the method used as the second factor but also having access to the second
factor such as a dynamically generated one-time password (OTP) or biological token. Two factor
authentications are based on the user providing two of the following three “somethings”:
 Knowledge (something you know): The system accepts you if you prove that you know a
certain bit of information such as a PIN, answer to a security question, and tax return details.
 Possession (something you have): The system accepts you if you prove that you have a
physical device on you, including USB keys, card readers, SMS codes, auth apps, and
wireless tags.
 Inherence (something you are): The system accepts you via a biometric comparison, such
as fingerprint scanners, retina scanners, and voice recognition.
Learning the password or pin for an account is what most hackers go after. Accessing a physical
token generator or getting biological features is harder and the reason why 2FA is effective in
providing greater security for user accounts.

Halaman 3 dari 12
 Two-Factor Authentication mandates the use of a TOTP token in addition to the user's
password in order to grant access to Scalr. TOTP is an industry-standard protocol for Two-
Factor Authentication, and mobile applications such as Google Authenticator can be used to
generate TOTP tokens using a mobile device (e.g. an Android or iOS smartphone).

Two-factor authentication is a process that adds an extra level of authentication to account

log-ins. It requires you to have multiple pieces of information in order to access certain data,
often more than just a simple username, email address or password. Accounts making use of
two-step authentication usually require at least two of the following[2]:
A knowledge factor: e.g. a personal identification number, a secondary password or a
pattern- these may include one-time passwords, generated to be used once and will
change each time that the information is accessed;
A physical factor: e.g. a payment card, a mobile phone or a fob or key card;
Personally specific data: e.g. a fingerprint, a retina scan or voice recognition technology.

II. Types of Two Factor Authentication

There are numerous ways to implement 2FA. They all have their pros and cons, but all
significantly increase the security of user accounts when implemented. The key takeaway from
all of the methods discussed below is that once the user has verified their username and
password, they are required to enter a second password that is dynamically generated and
constantly changing before they can access the system. Companies often implement additional
rules for when and how 2FA is used. The user may not need to use 2FA if they are within the
company intranet or on a device they previously used 2FA to login. In other cases, the user may
need to use 2FA every single time they authenticate. Auth0 supports these and other custom
implementation rules to meet business needs. Types of 2 FA as follows:[3].

II.1 SMS Token

Perhaps the most common method of implementing 2FA. This method sends the user a unique
token via SMS text message, normally a 5-10 digit code, after they have successfully entered
their username and password. The user then needs to provide this unique token before they are
granted access.

Pros:

Halaman 4 dari 12
  User friendly – most users are comfortable receiving text messages
 Availability – majority of phones have SMS capabilities
 Cost – inexpensive to setup and maintain

Cons:

 Connectivity – cell signal and reception required to receive token

 Security – SMS messages can be intercepted by 3rd parties
 Hardware – physical device required so if phone is lost or stolen the user cannot
authenticate

II.2 Email Token

Another fairly common method of two factor authentication. This method is very similar to the
SMS method above but common implementations include having the user enter a 5-10 alpha-
numeric token or clicking a link provided in the email. Dynamically generated one-time
passwords are also used here.

Pros:

 User friendly – users can receive emails to both computers and mobile devices
 Cost – inexpensive to setup and maintain
 Options – can give the user additional options to verify token such as clicking a link

Cons:

 Delivery – email can fail to be delivered in many ways including: email goes to spam,
bounced by server, delivery queue backed up causing a delay in delivery, etc.
 Security – emails can be intercepted by 3rd parties and tokens compromised
 Redundancy – if 3rd party gains access to users credentials it’s possible they could
access email as well and thus easily get the token

Halaman 5 dari 12
II.3 Hardware Token

This method is common in enterprise environments but can be used in any system. The way this
method works is the user is given a physical device such a key fob, USB dongle or other device
that dynamically generates a token for the user. These tokens are generally valid for only short
periods of time, some as low as 30 seconds, and constantly change.

Pros:

Standalone – doesn’t require reception, online connectivity or other factors to generate

tokens
Reliable – hardware tokens are specifically built to only generate tokens
Secure – as these devices only perform one task, the possible vectors of exploitation are
greatly reduced

Cons:

Cost – expensive to setup and maintain

Hardware – devices can be easily misplaced, forgotten and lost
Too Many Devices – having a hardware device for multiple services may make the user
not want to use 2FA

II.4 Software Token

Software tokens require the user to download and install an application that runs on their
computer or mobile device that dynamically generates tokens for the user. With the rise of
smartphones – this method is gaining popularity. Software tokens work similarly to hardware
tokens in that they are randomly generated and last a brief period of time before changing but
developers can choose a number of different implementations to meet the business needs.

Pros:

User friendly – apps generally have simple interfaces that just display the token to the
user
Updates – easy to update software and apply patches when needed

Halaman 6 dari 12
 Extensibility – ability to add enhanced features such as requiring a pin to access the app
or using a single app for multiple accounts

Cons:

Cost – expensive to implement and maintain

Additional Software – requires user to download and install additional software to their
devices
Security – application used to generate token can be compromised without user
knowledge

II. 5 Phone Call

This method of 2FA calls the user once they have authenticated their username and password
and provides them with the token. This is perhaps the most inconvenient method for the end-user
but is a viable and common method of delivering dynamic tokens to the user.

Pros:

User friendly – as simple as receiving a phone call

Cost – inexpensive to setup and implement
Reliability – generally voice/SMS reception requires less bandwidth than data so may be
a good alternative to software or email based verification where a data connection is
required

Cons:

Security – calls can be intercepted, forwarded or voicemails hacked

Connectivity – cell signal and reception is required
Hardware – requires physical device to receive token

Halaman 7 dari 12
II.6 Biometric Verification

This method of 2FA is unique and different from the others we mentioned so far. Biometric
verification relies on the actual user being the token. A unique feature such as the
users fingerprints or retina is used to verify that the user is who they say they are.

Pros:

 The user becomes the token – just be yourself!

 Options – many different options for token including fingerprints, retina, voice and facial
recognition
 User friendly – minimal knowledge of how systems work required by end user

Cons:

 Privacy – storage of biometric data raises privacy concerns

 Security – fingerprints and other biometric data can be compromised and cannot be
changed
 Additional hardware – requires special devices to verify biometric data – cameras,
scanners, etc.

III. Purpose, Needs, and Motivations for Two-factor

Authentication
There are typically three primary motivations for why people and organizations use MFA:
security, compliance, and usability.

III.1 Security

The strength of authentication systems are largely determined by the number of factors or layers
incorporated into the system. While each authentication method has strengths and weaknesses,
systems that use two or more different factors are typically considered stronger than those that
use only one factor.

Halaman 8 dari 12
III.2 Compliance

Almost every organization has some level of local, state, and/or federal compliance to which
they must adhere. Many of these regulations specify that organizations must utilize 2FA under
certain circumstances, like when accessing particular types of data or connecting from certain
locations. There is pressure for organizations to maintain compliance in order to mitigate audit
findings and avoid potential fines and other penalties.

III.3 Usability

The key need regarding usability revolves around the concept that “passwords are dead.” This
phrase commonly heard has two core meanings. First, people have too many passwords for their
devices and applications, whether personal and/or professional. Furthermore, if you follow
password best practices and make each one different and complex, most technical folks even
struggle with the task. While password managers and IAM systems with single sign-on provide
significantly reduce password-related headaches, with 2FA, there are some opportunities to
eliminate the use of passwords altogether by securely authenticating users via other methods—a
significant motivator on the usability front.

IV. Advantages of two-factor authentication

The benefits for 2FA align very closely to the motivations for having multi-factor authentication.

IV.1 Improve Security

The primary benefit of two-factor authentication is that it provides additional security by adding
protection in layers. The more layers/factors in place, the more the risk of an intruder gaining
access to critical systems and data is reduced.

IV.2 Achieve Compliance

A second benefit of two-factor authentication is being able to achieve the necessary compliance
requirements specific to my organization which in turn mitigate audit findings and avoiding
potential fines.

Halaman 9 dari 12
IV.3 Increase Flexibility and Productivity

And finally, being able to remove the burden of passwords by replacing them with alternatives
has the potential to increase productivity and bring a better usability experience due to the
increased flexibility of factor types. In the right environment and situation, there could even be
an opportunity for a potential reduction in operational costs.

V. Disadvantages of two-factor authentication

Disadvantages of two-factor authentications are as follows[4]:

V.1 Factors can get lost

There is no certainty that your authentication factors will be available when you need them.
Typically, you are locked out of your account after one mistake is made.

In situations when you lose power or your phone is damaged by water, you won’t be able to get
your SMS codes as the second authentication factor. Relying on a USB key as a second factor is
also risky. It can easily be misplaced or accidentally run through the laundry. If you trust factors
like PINs, there’s always the chance that you forget it. Biometric factors like eyes and fingers
can be lost in accidents.

Most recently, Hurricane Harvey and Irma victims found themselves locked out of their accounts
because they had no way to charge their phones. Without a phone, you cannot get authentication,
and without that, you’re not granted access.

While account recovery is possible, it’s likely to be time-consuming and somewhat difficult.
Also, if you have a number of accounts protected with a single factor and you lose that, then
you’ll need to recover all of those.

V.2 False security

Two-factor authentication provides a level of security, but it’s typically exaggerated. For
example, if you were locked out of a service because you lost a factor, you’re basically in the
same predicament as a hacker attempting to gain access to your account. If you can reset your
account without an access factor, then a hacker can, too.

Halaman 10 dari 12
Recovery options typically contradict the point of two-factor authentication, which is why
companies like Apple have done away with them. However, without recovery options, your
account may be lost forever.

There are also services like PayPal that use two-factor authentication but don’t fully execute it.
The company offers a second factor called “PayPal Security Key,” but in 2014, it was able to be
completely bypassed with no effort.

In sum, this means that you can follow two-factor authentication and still have your account
breached.

V.3 It can be turned against users

While two-factor authentication is intended to keep hackers out of your account, the opposite can
happen. Hackers can set up or reconfigure two-factor authentication to keep you out of your own
accounts.

Two-factor authentication may not be effective enough to secure your accounts but can also be
too effective if you’re not careful. As services improve with two-factor practices and make
account recovery more difficult, it’s pertinent to set up the authentication on your necessary
accounts before a hacker does.

VI. Time-based variant of the OTP algorithm

A time-based variant of the OTP algorithm provides short-lived OTP values, which are desirable
for enhanced security. On the other hand, TOTP is an algorithm that computes a one-time
password from a shared secret key and the current time. It has been adopted as Internet
Engineering Task Force standard RFC 6238, is the cornerstone of Initiative for Open
Authentication (OATH), and is used in a number of two-factor authentication systems.

TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret

key with the current timestamp using a cryptographic hash function to generate a one-time
password. Because network latency and out-of-sync clocks can result in the password recipient
having to try a range of possible times to authenticate against, the timestamp typically increases
in 30-second intervals, which thus cuts the potential search space.

Halaman 11 dari 12
In a typical two-factor authentication application, setup proceeds as follows: a user enters
username and password into a website or other server, the server generates a secret key which
the user enters on to their TOTP application on a smartphone or other device (often by scanning
a QR code). To verify that process worked, the user application immediately generates a one-
time password to be checked by the server. On subsequent authentications, the user enters their
username, password and the current one-time password. The server checks the username and
password as normal then also runs TOTP to verify the entered one-time password. [5]

Reference
[1] N. Tellini and F. Vargas, “Two-Factor Authentication,” 2017.
[2] “The Pros & Cons of Two Factor-Authentication | EOL IT Services.” [Online].
Available: https://www.eolitservices.co.uk/2015/11/03/two-factor-authentication-pros-
cons/. [Accessed: 04-May-2018].
[3] “Two Factor Authentication (2FA) - Auth0.” [Online]. Available:
https://auth0.com/learn/two-factor-authentication/. [Accessed: 05-May-2018].
[4] “3 disadvantages of two-factor authentication - Electronic Products.” [Online]. Available:
[5] Diakses dari :
https://www.electronicproducts.com/Programming/Software/3_disadvantages_of_two_fac
tor_authentication.aspx. [Accessed: 05-May-2018].
[6] "RFC 6238 - TOTP: Time-Based One-Time Password Algorithm".[Online]. Available:
https:// tools.ietf.org/html/rfc6238/. [Accessed: 05-May-2018].

Halaman 12 dari 12