User:Mogg/Multi-factor authentication

Multi-factor authentication, which includes two-factor authentication, or 2FA, allows users to prove their identities to web applications in a secure way.

Typically your password is one factor. However, passwords alone are inherently weak and are insufficient to protect financial accounts that are accessible online. For multi-factor authentication, at least one other factor is needed to add sufficient protection.

SMS (Short Message Service)
Often when logging into an account, the service provider will send an SMS code to the phone on record. Once you receive the SMS code and enter in the code to the application, then you are authenticated.

This factor is prone to attacks such as SIM swaps, where an attacker uses social engineering to convince a victim's mobile provider that they are the victim, and then ports the real victim's phone number to a phone controlled by the attacker.

One time password
A computer algorithm can generate a one time password based on secret information from the user, and the current time. The algorithm runs on the user's personal device, such as a phone. The password generally changes once every 30 seconds. When authenticating, the user enters the one time password into the application.

This factor is more secure than SMS since the one time password is typically only available on a single physical device. In order to attack this algorithm, the attacker must have access to the physical device.

Examples:
 * Symantec VIP
 * Google Authenticator
 * Microsoft Authenticator

Use Google authenticator instead of Symantec VIP
Rather than installing yet another application on your mobile device, it is possible to generate Symantec VIP style tokens using Google Authenticator.


 * python-vipaccess, an implementation of Symantec's VIP Access application and protocol.
 * Replacing Symantec VIP with a generic TOTP app, explanation of how to use python-vipacess.