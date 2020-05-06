One of the pillars of the security of our online accounts is double factor authentication. Those codes that are sent to our phone when we start a service hide more complexity than they appear and they can greatly enhance the security of our accounts.

What is double factor authentication

When we create an account in a service we need At least two things: an identifier and a password. The identifier is often an email, although some others it is an alias, our name or even our DNI.

When we log into a service, the first thing we enter is the identifier so that the service can recognize us. Then we enter the password, which is secret and only we know, to show service that we are indeed who we say we are.

So far the system seems to work perfectly, but What happens when the password is leaked or stolen? Well, the account is vulnerable. Today, security breaches by different companies that expose their customers’ passwords are becoming more common. Whether due to oversights or attacks, it is clear that passwords by themselves do not provide sufficient protection for the most sensitive accounts, here comes two-factor authentication.

Two-factor authentication, as the name implies, uses two factors: the password and a random code that is generated from time to time and, again, only we have. We can imagine the system like a double-lock door, we need both keys to enter and, therefore, if one of them is lost or someone obtains one, access to the account will continue to be protected.

Code security

Each service offers different variations of two-factor authentication. There are services that ask us to enter a phone number, when we register, to send us an SMS, others use an app created by the same company to send the code and others rely on open systems and we can use the code generation app that we choose. All these solutions diverge markedly in terms of safety.

Send a SMS code is, without a doubt, the least secure way to authenticate us. A person with a third-party DNI can call the operator and activate a duplicate of the SIM card with relative ease and start receiving the codes, or someone with access to the phone can simply read the code on the screen.

The apps created expressly, although safe, have two weak points. The first is comfort, if we end up with as many apps as accounts on our phones we probably prefer not to use double factor because it just isn’t comfortable. The second is that the customized and closed solutions cannot be properly audited to verify their proper operation.

Finally, code generation apps like 1Password, for example, offer us the ideal combination of safety and comfort, although it also involves some risks. So much so that it is rumored that in iOS 14 Apple could add the function of generating double-factor codes directly in the system.

How two-factor authentication works in Apple

In our Apple ID the verification codes of the double factor authentication are displayed directly on the screen of our trusted devices, those in which we have logged in with our Apple ID. Thanks to this system, Apple does not have to rely on third-party platforms at any time, being able to guarantee a higher degree of security than other solutions.

In addition, thanks to the integration of the system with the devices, the codes they come in the form of notification just when we need them, an added convenience that saves us from having to open a certain app and search for the code in question when we want to log in.

From a security point of view, accessing a third-party Apple ID would require an attacker to know the account password, have access to a device owned by the person who owns the Apple ID, and also be able to unlock it. Remember that this security function is the responsibility of the Secure Enclave, so a malware on a device would not be able to obtain or generate any code. With all this the Actual probabilities of access without automation are very close to 0.

Double factor authentication, whether from the hands of Apple or other services, provides, in a very simple way, great security to our accounts. And although it does not replace robust and long passwords, nor the golden recommendation to use unique passwords for each service, it is more than recommended to activate it in all accounts that allow it. We will see how to activate it in our Apple ID, use it and various recommendations for its proper use in a future article.