Two Factor Authentication – Hardware vs Software

Photo by NeONBRAND on Unsplash

Two factor authentication (2FA) is a type of multi-factor authentication that allows users to secure any type of account using a second authentication apart from the regular password protection. 2FA has been around for a long time and received mixed reaction from security researchers.

With growing number of internet and smart device users it is becoming increasingly important to take 2FA seriously. Let’s take a quick look at types of 2FA, which I have separated into hardware and software depending on where the second authentication code comes from.

Software 2FA:

Software 2FA (S2FA) is straightforward. Any website which supports S2FA will first walk user through account creation which requires password (first authentication). Then it will provide three options: First : Register cell number in order to receive unique code via SMS or a phone call whenever a login attempt is made. Only after entering this unique code user can access the account. Second : Application will ask user to install smartphone app like Duo Security or Google Authenticator. Using the app scan the QR code shown on screen and this will register account with the app. On every login attempt this app will generate an unique code that needs to be entered after password authentication. This works even without internet connection. Third : Skip both the options and have only single authentication mode i.e. password.

If the user has S2FA and doesn’t have cell network or smartphone with him/her during login attempt, then backup codes can be used.

These codes can be generated using account settings. Each backup up code expires as soon as it is used. For best practice, always generate and save new ones as soon as first one is used.

Below video explains above scenario:

Pros of S2FA: Protects account from hackers. Allows users to trust the website or application providing such service.

Cons of S2FA: I personally think S2FA is very complex process for people who aren’t good with computers. For Android devices SMS based 2FA (the easiest to setup for anyone irrespective of age or fluency in using smart devices) is most vulnerable due to the Android feature that lets any application read SMS stored in the messaging app. Thus allowing hackers a backdoor to these SMS codes. Most likely this is the reason why banks don’t trust this option.



Hardware 2FA:

Hardware 2FA (H2FA) is very similar to S2FA, however the 2FA is generated using a hardware rather than a software.

There different ways to setup H2FA: First : Many laptops for long have provided finger print reader option. If fingerprint reader is available, then for the account with this feature user can register biometric to login as 2FA. This isn’t widely used for online websites, but mostly for logging into hardware devices like smartphone or PCs. Second : From laptops to smartphones we have high resolution cameras. Many companies provide APIs that developers can use to access cameras as 2FA. For Apple devices there is Face ID. Microsoft provides Windows Hello. Face recognition for Android is under development. This option uses face as 2FA with help of camera. Third : Security key is a piece of hardware that has electronic chip which has unique code inbuilt. Any application that supports 2FA using a security key will look for the registered key. If the key is found in USB port or via Bluetooth connection, then user will be allowed to access the application. Google strongly supports this option for enterprise based on their in house research.

If H2FA is setup and user doesn’t have access to 2FA devices, there is an option to use S2FA. Application for sure will force user to setup S2FA as a backup during H2FA setup.

Pros of H2FA: Must more robust than S2FA. Difficult to fish user as the hardware device has to be nearby.

Cons of H2FA: Costly for regular user. Many dislike carrying another hardware even though it can act as key chain.



Future of 2FA:

I am in strong favor of H2FA. Instead of having to carry another piece of hardware, I would prefer if these keys can somehow find place in motherboard. This way applications can access and register keys using APIs. I understand this will not allow portability, but this idea can be improved.

Face ID is really good along with Windows Hello. With Google gearing up to bring face recognition to Android, it is fair to say that this is going to be the de-facto in near future when it comes to S2FA.