When you sign up for an online service it’s always wise to enable Two-Factor Authentication (2FA) when available. Sadly it’s not always an option and we are all too often left reusing weak passwords as is human nature. However, if 2FA is available, you should use it, no exceptions, that is a no-brainer. We should all be adding that extra layer of security to our personal data and hard earned cash/cryptocurrency.
So what are the options?
Most online services commonly give one of the following 2FA options to protect your accounts:
– Google Authenticator/Authy (Time-based One-Time Password or TOTP)
– Universal Second Factor (U2F) such as Yubikey or Google Titan
So let have a look at these options and what they offer:
First up is email/SMS. You can argue that email and SMS 2FA is better than using no 2FA at all, and it is another layer that an attacker has to bypass, but overall they are pretty bad as a secure option. It is all too easy for a hacker to intercept unencrypted email and the 2FA code has to be sent in plain text.
SMS has been shown to be easily bypassed by SIM swapping.
Really these should be viewed as an inconvenience for a determined hacker who may choose an easier target. It should not be seen as an ideal security measure if you want to protect your accounts.
Google Authenticator/Authy (TOTP)
Available on most online services that care about the security of their customers data, this is most secure and commonly available 2FA option.
When you enable 2FA on an account the online service will provide a shared secret to the app, usually via a QR code. This secret is stored in the Google (or Authy) Authenticator app and is used for all future logins to the site.
During future logins, the user enters their username and password, at which point they are asked for a Time-based One-time Password (TOTP) from the Authenticator app. This code is based on the shared secret and the current time.
The server that you are accessing has the same secret and generates the exact same code at the same time, allowing access to the service.
To hack the account the attacker would need to know the shared secret key, or have physical access to the device running the Authenticator app.
TOTP does provide a much higher level of security than email/SMS 2FA, and it is recommended that you use it where available, but there is a big issue with the system.
Say a company system is breached and a hacker gains access the shared secret database, then they have a way to copy the shared secret for every user on the system. You would think that this can’t be a problem as the shared secret is hashed, but no, it can’t be; in order to calculate the totp secret code, shared secrets have to be stored in plain-text.
Universal Second Factor (U2F)
Touted as one of the most secure versions of 2FA, U2F uses public key cryptography to verify your identity. This means that unlike TOTP the secret, or private key, is stored on the device and the public key is stored on the server. This means that even if a hacker gains access to the database than they only have access to a public key, and that is useless by itself.
You can backup your private key in traditional U2F systems and so don’t lose access in the event of an issue. However, the biggest problem with commercial U2F implementations, such as Yubikey or Google Titan, is that if you lose it that’s it, you need to reset all your accounts and get a new key.
It should also be added that whilst traditional authenticator apps are free (at least to the end user), U2F keys are expensive. The Google Titan key costs $50 per user and isn’t available outside the US.
So what does a 2FA system built on the Hydro Raindrop Authentication Protocols bring to the table that the above systems don’t?
Essentially Hydro allows developers to build a 2FA system that combines the best features of traditional authentication apps and U2F systems, with added benefits.
– Hydro based authentication systems use public key cryptography to store a secret (private key) on the users device, instead of having a plain text TOTP secret on the device and the servers. This means that should a database be breached the hacker cannot gain access to individual accounts.
– As the protocols are open source anyone can build an authentication app on top at no cost.
There is some cost associated with setting up a HydroID and staking of Hydro required by the creator of the app, but this is small in comparison to implementing traditional 2FA systems, and free to the end user, unlike key based systems.
– It can be built for use on devices such as smartphones that users already own, meaning that users don’t need another physical item that can be lost, stolen, or misplaced. This has the added benefit of being behind the security of the phone login/encryption, rather than being used at the push of a button as U2F keys are.
– Unlike traditional 2FA and Yubikey/Google Titian, a HydroID can be regenerated by the user storing their seed words carefully. Lose your phone. No problem just regenerate your HydroID and gain access to your accounts.
– It can be incorporated into any system. Have a cryptocurrency exchange with an app, why not get rid of third party solutions entirely, build Hydro 2FA directly into the app and have your own app authenticate users?
– You can also build Hydro authentication directly into a company server. For example, if an exchange wants to protect their database, they can build Hydro Raindrop on the server-side, and require an on-chain micro-transaction before granting access to a system.
There is one commonly asked question that needs to be cleared up. Hydro Raindrop does not make a transaction with every authentication. The only transaction is during the initial creation of a HydroID. After that systems only need to read from the public blockchain, which is a fast and free process, which leaves no footprint.
As you can see the Hydro Raindrop Authentication protocols have all the benefits of traditional 2FA and U2F, plus more. It’s simple, if you want increased security than you want to build on Hydro.
If you want to see an example of a 2FA implementation built on top of the Hydro Protocols you can look no further than the Hydro App from Hydrogen API