Escolar Documentos
Profissional Documentos
Cultura Documentos
Oleh:
MAGISTER INFORMATIKA
SEKOLAH TEKNIK ELEKTRO DAN INFORMATIKA
INSTITUT TEKNOLOGI BANDUNG
2018
CONTENTS
I. Introduction .......................................................................................................................................... 3
II. Types of Two Factor Authentication.................................................................................................... 4
II.1 SMS Token........................................................................................................................................... 4
II.2 Email Token ......................................................................................................................................... 5
II.3 Hardware Token.................................................................................................................................. 6
II.4 Software Token ................................................................................................................................... 6
II. 5 Phone Call........................................................................................................................................... 7
II.6 Biometric Verification ......................................................................................................................... 8
III. Purpose, Needs, and Motivations for Two-factor Authentication ................................................. 8
III.1 Security .............................................................................................................................................. 8
III.2 Compliance ........................................................................................................................................ 9
III.3 Usability ............................................................................................................................................. 9
IV. Advantages of two-factor authentication ....................................................................................... 9
IV.1 Improve Security ................................................................................................................................ 9
IV.2 Achieve Compliance........................................................................................................................... 9
IV.3 Increase Flexibility and Productivity ................................................................................................ 10
V. Disadvantages of two-factor authentication .................................................................................... 10
V.1 Factors can get lost ........................................................................................................................... 10
V.2 False security .................................................................................................................................... 10
V.3 It can be turned against users .......................................................................................................... 11
VI. Time-based variant of the OTP algorithm ..................................................................................... 11
Reference .................................................................................................................................................... 12
Halaman 2 dari 12
I. Introduction
Two-Factor Authentication (2FA) is a two-step verification process that aims to provide an
additional layer of security by requiring the user to authenticate him/her using a secondary means
(ownership factor or inheritance factor). Without the use of 2FA, an attacker could gain access to
a person’s devices or accounts solely by knowing the victim’s password, while with 2FA
knowing only this password is insufficient to pass the authentication check [1].
Two Factor Authentication (2FA or TFA) is the technical term for the process of requiring a
user to verify their identity in two unique ways before they are granted access to the system.
Traditionally, users have relied on and are accustomed to authentication systems that require
them to provide a unique identifier such as an email address, username or phone number and a
correct password or pin to gain access to the system. 2FA extends this paradigm by adding an
additional step to the authentication process, most commonly requiring the user to enter a one-
time token that is dynamically generated and delivered through a method that only the user has
access to. Another common method is to use the user’s biometric data such as fingerprints or
retina as a second factor. It gives the user and system administrator a peace of mind as it ensures
that even if the users password is compromised the account cannot be accessed without also
knowing not only the method used as the second factor but also having access to the second
factor such as a dynamically generated one-time password (OTP) or biological token. Two factor
authentications are based on the user providing two of the following three “somethings”:
Knowledge (something you know): The system accepts you if you prove that you know a
certain bit of information such as a PIN, answer to a security question, and tax return details.
Possession (something you have): The system accepts you if you prove that you have a
physical device on you, including USB keys, card readers, SMS codes, auth apps, and
wireless tags.
Inherence (something you are): The system accepts you via a biometric comparison, such
as fingerprint scanners, retina scanners, and voice recognition.
Learning the password or pin for an account is what most hackers go after. Accessing a physical
token generator or getting biological features is harder and the reason why 2FA is effective in
providing greater security for user accounts.
Halaman 3 dari 12
Two-Factor Authentication mandates the use of a TOTP token in addition to the user's
password in order to grant access to Scalr. TOTP is an industry-standard protocol for Two-
Factor Authentication, and mobile applications such as Google Authenticator can be used to
generate TOTP tokens using a mobile device (e.g. an Android or iOS smartphone).
Perhaps the most common method of implementing 2FA. This method sends the user a unique
token via SMS text message, normally a 5-10 digit code, after they have successfully entered
their username and password. The user then needs to provide this unique token before they are
granted access.
Pros:
Halaman 4 dari 12
User friendly – most users are comfortable receiving text messages
Availability – majority of phones have SMS capabilities
Cost – inexpensive to setup and maintain
Cons:
Another fairly common method of two factor authentication. This method is very similar to the
SMS method above but common implementations include having the user enter a 5-10 alpha-
numeric token or clicking a link provided in the email. Dynamically generated one-time
passwords are also used here.
Pros:
User friendly – users can receive emails to both computers and mobile devices
Cost – inexpensive to setup and maintain
Options – can give the user additional options to verify token such as clicking a link
Cons:
Delivery – email can fail to be delivered in many ways including: email goes to spam,
bounced by server, delivery queue backed up causing a delay in delivery, etc.
Security – emails can be intercepted by 3rd parties and tokens compromised
Redundancy – if 3rd party gains access to users credentials it’s possible they could
access email as well and thus easily get the token
Halaman 5 dari 12
II.3 Hardware Token
This method is common in enterprise environments but can be used in any system. The way this
method works is the user is given a physical device such a key fob, USB dongle or other device
that dynamically generates a token for the user. These tokens are generally valid for only short
periods of time, some as low as 30 seconds, and constantly change.
Pros:
Cons:
Software tokens require the user to download and install an application that runs on their
computer or mobile device that dynamically generates tokens for the user. With the rise of
smartphones – this method is gaining popularity. Software tokens work similarly to hardware
tokens in that they are randomly generated and last a brief period of time before changing but
developers can choose a number of different implementations to meet the business needs.
Pros:
User friendly – apps generally have simple interfaces that just display the token to the
user
Updates – easy to update software and apply patches when needed
Halaman 6 dari 12
Extensibility – ability to add enhanced features such as requiring a pin to access the app
or using a single app for multiple accounts
Cons:
This method of 2FA calls the user once they have authenticated their username and password
and provides them with the token. This is perhaps the most inconvenient method for the end-user
but is a viable and common method of delivering dynamic tokens to the user.
Pros:
Cons:
Halaman 7 dari 12
II.6 Biometric Verification
This method of 2FA is unique and different from the others we mentioned so far. Biometric
verification relies on the actual user being the token. A unique feature such as the
users fingerprints or retina is used to verify that the user is who they say they are.
Pros:
Cons:
III.1 Security
The strength of authentication systems are largely determined by the number of factors or layers
incorporated into the system. While each authentication method has strengths and weaknesses,
systems that use two or more different factors are typically considered stronger than those that
use only one factor.
Halaman 8 dari 12
III.2 Compliance
Almost every organization has some level of local, state, and/or federal compliance to which
they must adhere. Many of these regulations specify that organizations must utilize 2FA under
certain circumstances, like when accessing particular types of data or connecting from certain
locations. There is pressure for organizations to maintain compliance in order to mitigate audit
findings and avoid potential fines and other penalties.
III.3 Usability
The key need regarding usability revolves around the concept that “passwords are dead.” This
phrase commonly heard has two core meanings. First, people have too many passwords for their
devices and applications, whether personal and/or professional. Furthermore, if you follow
password best practices and make each one different and complex, most technical folks even
struggle with the task. While password managers and IAM systems with single sign-on provide
significantly reduce password-related headaches, with 2FA, there are some opportunities to
eliminate the use of passwords altogether by securely authenticating users via other methods—a
significant motivator on the usability front.
The primary benefit of two-factor authentication is that it provides additional security by adding
protection in layers. The more layers/factors in place, the more the risk of an intruder gaining
access to critical systems and data is reduced.
A second benefit of two-factor authentication is being able to achieve the necessary compliance
requirements specific to my organization which in turn mitigate audit findings and avoiding
potential fines.
Halaman 9 dari 12
IV.3 Increase Flexibility and Productivity
And finally, being able to remove the burden of passwords by replacing them with alternatives
has the potential to increase productivity and bring a better usability experience due to the
increased flexibility of factor types. In the right environment and situation, there could even be
an opportunity for a potential reduction in operational costs.
There is no certainty that your authentication factors will be available when you need them.
Typically, you are locked out of your account after one mistake is made.
In situations when you lose power or your phone is damaged by water, you won’t be able to get
your SMS codes as the second authentication factor. Relying on a USB key as a second factor is
also risky. It can easily be misplaced or accidentally run through the laundry. If you trust factors
like PINs, there’s always the chance that you forget it. Biometric factors like eyes and fingers
can be lost in accidents.
Most recently, Hurricane Harvey and Irma victims found themselves locked out of their accounts
because they had no way to charge their phones. Without a phone, you cannot get authentication,
and without that, you’re not granted access.
While account recovery is possible, it’s likely to be time-consuming and somewhat difficult.
Also, if you have a number of accounts protected with a single factor and you lose that, then
you’ll need to recover all of those.
Two-factor authentication provides a level of security, but it’s typically exaggerated. For
example, if you were locked out of a service because you lost a factor, you’re basically in the
same predicament as a hacker attempting to gain access to your account. If you can reset your
account without an access factor, then a hacker can, too.
Halaman 10 dari 12
Recovery options typically contradict the point of two-factor authentication, which is why
companies like Apple have done away with them. However, without recovery options, your
account may be lost forever.
There are also services like PayPal that use two-factor authentication but don’t fully execute it.
The company offers a second factor called “PayPal Security Key,” but in 2014, it was able to be
completely bypassed with no effort.
In sum, this means that you can follow two-factor authentication and still have your account
breached.
While two-factor authentication is intended to keep hackers out of your account, the opposite can
happen. Hackers can set up or reconfigure two-factor authentication to keep you out of your own
accounts.
Two-factor authentication may not be effective enough to secure your accounts but can also be
too effective if you’re not careful. As services improve with two-factor practices and make
account recovery more difficult, it’s pertinent to set up the authentication on your necessary
accounts before a hacker does.
Halaman 11 dari 12
In a typical two-factor authentication application, setup proceeds as follows: a user enters
username and password into a website or other server, the server generates a secret key which
the user enters on to their TOTP application on a smartphone or other device (often by scanning
a QR code). To verify that process worked, the user application immediately generates a one-
time password to be checked by the server. On subsequent authentications, the user enters their
username, password and the current one-time password. The server checks the username and
password as normal then also runs TOTP to verify the entered one-time password. [5]
Reference
[1] N. Tellini and F. Vargas, “Two-Factor Authentication,” 2017.
[2] “The Pros & Cons of Two Factor-Authentication | EOL IT Services.” [Online].
Available: https://www.eolitservices.co.uk/2015/11/03/two-factor-authentication-pros-
cons/. [Accessed: 04-May-2018].
[3] “Two Factor Authentication (2FA) - Auth0.” [Online]. Available:
https://auth0.com/learn/two-factor-authentication/. [Accessed: 05-May-2018].
[4] “3 disadvantages of two-factor authentication - Electronic Products.” [Online]. Available:
[5] Diakses dari :
https://www.electronicproducts.com/Programming/Software/3_disadvantages_of_two_fac
tor_authentication.aspx. [Accessed: 05-May-2018].
[6] "RFC 6238 - TOTP: Time-Based One-Time Password Algorithm".[Online]. Available:
https:// tools.ietf.org/html/rfc6238/. [Accessed: 05-May-2018].
Halaman 12 dari 12