Important note of Jul 10, 2021: this article was originally published in 2017. The grammatical errors are intentionally left unfixed, and the article itself is republished for historical reasons.
The classic computer science authentication methods may be assigned by three different categories: the key sequence checkers, the key items presence checkers, and identity analysers. In layman’s terms, the computer security systems should check what you know, what you have, and who you are. The old login-password authentication method is the typical “what you know” method. The access card systems may be assigned to “what you have” category, and of course the advanced, authentication methods that you may have seen in sci-fi movies such as the iris scanners, voice analysers, and fingerprint scanners may be classified as “who you are” systems, which is obviously ensures the most secure detection.
The traditional login-password authenticators has been around for years. The first personal computers together with text terminals both had authentication mechanisms, and that mechanisms were logn-password checkers. Earlier implementation had just been checking if raw passwords were the same strings, but there were disadvantages: as long as the original password was stored as a raw string, it could have been stolen. Engineers managed to apply checksums to solve that problem. With MD5 or SHA, you may just store the checksum instead of original password. Checksums itself are useless because there’s no way to restore the original password from the checksum. Nowadays, the hashing is widely used everywhere to ensure the basic security level.
The internet have changed it all. At the past, only your OS asked you for password, today every website does. With growth of infrastructure, the spambots appeared. Developers responded by email verification and re-captcha, but when it’s needed to truly ensure the security of online operation, two-factor authentication may help. The two-factor authentication works like this: the system ask you to enter your credentials, you enter it, and then the systems ask you for the special code that will be delivered via SMS or some other way to your smartphone. That kind of authentication is widely used in online banking, e-commerce, and corporate information systems because it’s just more secure, because the bad guys couldn’t log in even if they have stolen your password.
Summing up, the authentication systems developers are designing their systems to be secure enough yet not annoying or too complicated, and from the point of the computer science, that balance is in making the authentications as closer to “who you are” model as possible. The modern smartphones are not comes with built-in iris scanner, so the engineers should implement the “who you are” model in another way.
The typical two-factor authentication works via SMS codes. But let’s take a look at the two different more advanced ways of doing these: the Apple way and the Google way. Google’s two-factor authentication needs your android-smartphone and your Google services account to be operational. It works offline: the special built-in app runs at your smartphone as a background process, collecting your data such as current time set, your actions, apps installed, wifi-networks you logged in and other. Using this data, the app creates the special key sequence, which is synchronised with Google servers every time your smartphone establishes the internet connection. And when some online service requires you to enter the two-factor authentication key, you should open the Google app and enter the code you were shown at the display. The code is always up-to-date and works even if your phone is out of service and unable to go online or receive SMS.
Apple uses special hardware to authenticate users – the TouchID, modern and cheap high precision fingerprint scanner that the iPhone has built-in. The usage way is obvious: when it’s needed to authorize, you just need to take your phone and touch the scanner. The two-factor authentication seems secure from the engineer’s point of view, but the human factor ruins everything as usual. The common person could be tricked into sending the thiefs a two-factor key delivered via SMS. Thus, the more advanced ways of authentication such as Google’s or Apple’s should be established as the industry standard.
Thesis: 2-factor authentication is effective enhancement of traditional login-password way, but it’s still not perfect.