Let’s talk about two-factor authentication. In today’s article we’ll discuss 2FA implementations in Android and Windows 10 Mobile.
Two-factor authentication is an additional step that is required to perform user identification. With two-factor authentication, a secondary authentication type is requested after the user signs in with their login and password. This servers to provide two-layer protection, and therefore protects more efficiently against unauthorized account access.
The idea is very simple: in order to access your account, you need to confirm that you are actually you by supplying something you know and then using something you have. Two-factor protection is a sufficiently reliable barrier that seriously complicates attackers access to your data, much more so than when just a classical password is used. This method is convenient as it can warn the owner of intrusion attempts. If you suddenly receive a message with a one-time code you never requested, you may be able to tell that something fishy is probably going on, and act quickly to secure your account (such as changing your password ASAP). It is very important to understand that a 2FA prompt is only delivered after someone used your correct login and password, so if you received a prompt for a one-time password then someone else has access to your login and password.
Major developers of mobile operating systems (Apple, Google and Microsoft) have developed their own implementations of two-factor authentication to balance convenience and security. They achieved some very different results.
Apple has had some form of two-factor authentication since 2013. Initially, Apple only used two-factor authentication for protecting user data. This was called “two-step verification”, and by today this type of protection is already outdated. To better respond to online threats, the company has developed a completely different scheme. This time they called it “two-factor authentication”.
Two-Factor Authentication and Time-based One-time Password Algorithm
Starting with iOS 9, Apple added the ability to generate verification codes offline. It’s both more secure and more convenient, allowing users generating offline authentication codes on trusted devices. The new method can also prompt users on all their trusted devices if someone attempts to sign in to their account. Unfortunately, attackers can still bypass certain security measures.
Google’s experience is vast in this matter. In contrast to Apple, Google does not have full control over Android, which can be heavily modified by OEMs. However, the company has full control over the Google Play Services. Google offers a huge number of options to configure authentication. Unlike Apple, Google allows using non-Google devices for authentication.
In turn, Microsoft uses a somewhat unique approach to two-factor authentication. Even if the user does not want to use two-factor authentication, and does not set any secondary authentication methods, Microsoft may request additional confirmation in certain cases. If the user decides to enable the full protection provided by two-factor authentication, nothing will really change except that secondary verification will take place at every attempt to sign in to a Microsoft Account. It is interesting to note that Microsoft seems to be really serious about application-specific passwords; far more so than Google or Apple.
Passwords are not going away any time soon. Two-factor authentication is a great supplemental protection mechanism to complement password protection. Used together, passwords and two-factor authentication can be considered sufficient protection against modern threats. Major companies developed their own mechanisms for two-factor authentication. These mechanisms have their advantages and disadvantages, and there is no clear winner. Every company offers a choice of authentication options, catering to their own audience.
More.
Special thanks Oleg Afonin for his help.