As always, before talking about anything, we will try to understand what two-step authentication is, how they have done it on Twitter and how it differs from what other services such as Google have implemented.
The foundation of two-step authentication: something you have plus something you know
When we enter a service with our username and password, we are using two pieces of information that in theory only we know. The question is, what happens if someone else guesses our username and password?
To avoid that scenario, we add another factor to be able to enter: something that we have. In the case of Twitter, what we have is the mobile, ours and that nobody else touches (in theory). In other cases, like banking, a physical token is used.
Be that as it may, the idea is always the same: add one more verification that it is you and not a thug who is accessing your account. To do this, the service checks that you really have something (mobile, token) that only you should have.
The “standard” way to implement two-step authentication: TOTP
Well, we said that the basis of two-step authentication is to verify that you have the piece of the puzzle (usually the mobile) that only you, the legitimate user, can have. How to do this check?
The easiest thing is what Twitter has done: they send you a code on your mobile and ask you to put it on the website. Only your mobile will receive the text message, so if you have entered the code correctly, you have the mobile and therefore you are not a crook.
However, that is more expensive (you have to send the message) and it does not work with all operators. There is another option, somewhat more complex, called TOTP: Time-based One Time Password, or one-time password based on time.
As the name suggests, it is a password that can only be used once, and it changes over time. How does it work?
The first thing is the initial configuration. The server chooses a number, which we will call the key, and which will be the basis for all the passwords generated. That key is transmitted to the application on your phone, where it will be saved.
Now it is the turn to enter the service. The server asks for your second authentication code, so you open your mobile application. At that time the code is calculated. To do this, the application takes the key and the current date and time combines them and outputs the code you need.
Since the code is only stored in your application and on the server, only you can generate the password and only the server can tell if it is correct and, therefore, if you are the legitimate user or not.
Now, what I have told you is a simplified version. Some aspects need to be completed so that everything is safe and easy to use.
For example, how do we transmit the key? Easy: it is in the QR code that you are asked to scan when you configure the application for the first time. In addition, to ensure that you have received it correctly, you are asked for the authentication code. If it’s correct, everything is set up without a hitch, and two-step authentication can be activated on your account.
Another aspect to consider: how are the key and the current time combined? If we do it wrong, someone who saw one of those authentication codes could remove the key and generate the rest, leaving our protection useless.
A hash function is used to extract the code, which when passing a message returns a kind of “fingerprint” of that message, a unique identifier (theoretically). Also, that fingerprint is irreversible: if you have the fingerprint, it is (again, theoretically) impossible to know what the message that generated it is.
The process is as follows: the password and the current date and time are combined in such a way that we get a number. Using the SHA1 algorithm we extract its hash code, which is the code that we give to the server to identify ourselves. In this way, it is verified that it is us (only with the key we could generate the correct hash ) and there is no possibility of recovering the original key.
And one last detail: when calculating the code, the exact date and time are not used, but the number of 30-second blocks is counted. This way you have time to enter it with enough margin so that it does not expire.
Advantages and disadvantages of two-step authentication
Once we have the operation clear, why use two-step authentication? What are its advantages and disadvantages?
Most immediately, two-step authentication greatly increases the security of our accounts. Even if your password is not secure and has been guessed, if you have two-step authentication, no one but you will be able to log into your account.
Against it are the possible discomforts that this causes, but if done right it is only a minor annoyance. Most services allow us to specify trustworthy computers so that we do not have to search for the mobile phone whenever we enter, so we only have to enter the code once.
The biggest disadvantage is what happens when we lose our mobile. In Google, for example, you have alternative single-use codes that you can use if you don’t have your mobile. In more extreme cases, such as Microsoft accounts, you will have to wait 30 days to recover your account with the rest of the security information.
Another drawback to consider is how we manage third-party applications that access our account. Since they cannot enter the authentication codes, special application passwords must be created. They are passwords that Google, Microsoft or whoever automatically generates, and that are only valid for a specific application. This way you do not reveal your original password or your authentication codes.
Anyway, this point will cause fewer and fewer problems. Many services (Twitter, Facebook, Google) use OAuth, a different protocol to access your accounts that consists of giving permission to each application. This way, you don’t have to worry about passwords or authentication codes.
In conclusion, I would recommend turning on two-step authentication whenever you can. It is one more layer of security and it will probably save you some scare with your accounts. Upset? Yes, it is a bit more complex than just username and password, but I think the advantages far outweigh the disadvantages.