Skip to content

2 Factor Authentication

  • Jon Hodl 
What Is 2 Factor Authentication?

What Is 2 Factor Authentication?

2 Factor Authentication or 2FA for short is a method of adding a second layer of security to an account such as a social media profile, website, or computer.

The first “factor” of authentication is the password for an account. The second “factor” is a verification code obtained via a mobile device, computer app, or specialized hardware. In relation to Bitcoin, 2 factor authentication is typically used by exchanges and other custodial services to prevent scams, theft, and user info being leaked.

2FA comes in many forms. It can be SMS (text messages), email, smartphone apps, physical hardware, social media, biometrics, multiple digital signatures, and even the lightning network.

Why Is 2 Factor Authentication Important?

Since bitcoin transactions can’t be reversed, 2FA has been widely adopted by bitcoin exchanges and banks as a means of requiring a second layer of security for user’s to access their accounts. The second layer of security prevents hackers from accessing your account and stealing your bitcoin.

In order to prevent bad actors from gaining access to your bitcoin, 2FA has become widely implemented as an additional security measure.

Different Types Of 2FA

There are a number of different types of 2FA and they each have their own set of pros and cons. Some offer increased convenience but have a track record of being easy to compromise. Some may offer more security but may require you to provide some of your personal information. Others offer a purely technical solution but they are not as convenient as using a smartphone app. New methods are also being developed that use the lightning network for 2FA.

When deciding which sort of 2FA you will use, choosing the right balance of security, privacy, and convenience are all important.

SMS

SMS, also known as a text message, is a common form of 2FA but offers low levels of security because phone numbers are relatively easy for hackers to spoof simply by calling your phone provider and using social engineering to convince a customer support representative to change the sim card associated with your phone number. As soon as the sim has been swapped, the hacker can access any service that is associated with your phone number.

Since SMS offers the least amount of security, it is generally best practice to avoid using it for any bitcoin-related services.

Email

Email authentication is another common form of 2FA. The most common application email 2FA is when you sign up for a new service and as an anti-spam measure, you need to check your email and click a link as a 2nd factor of authentication to verify that you are actually the owner of that email address.

Email 2FA is also often used as a measure to sign into a bitcoin exchange. When attempting to sign in, you mat need to click on a link in your email in order to gain access to your account.

If an exchange detects suspicious activity on your account, they may require you to login with a temporary password to verify that you’re the real owner of the account.

Social Media

Some social media sites will encourage you to enable some sort of 2FA in order to login but they can also be a form of 2FA themselves. If you have ever visited a website that asks if you would like to “Log In With Facebook” or “Sign In With Twitter”, you are being asked to use social media as a means of 2FA.

Often times, when signing into social media accounts such as facebook from a foreign country, you may be asked to identify photos of your friends to verify that you are the owner of your account. This is a sort of “social ID” 2FA.

Biometric

Biometric 2FA, such as a fingerprint scan or facial recognition ID, is becoming more popular as a means of proving identification, although it is not the most secure method because it’s designed to provide imperfect security.

If you use facial recognition to unlock your phone or computer, your face may appear different depending on the lighting or whether you have facial hair or cosmetics on. Biometrics will unlock your smartphone if it identifies a near-perfect match of your fingerprints or face rather than an absolute perfect match. Due to these imperfections, biometrics are best used as a username and not as a password.

Time-Based One Time Password (TOTP)

Time-Based One-Time Password apps, TOTP for short, are probably the most common form of 2FA across the internet since they are usually free mobile app downloads that offer a nice balance of ease of use and security.

In order to secure an account with one of these TOTP apps, you first need to pair your TOTP app with the service you are securing by scanning a QR code. In order to access your account with TOTP, you will need to enter a short time-based one-time password that expires after approximately 20-30 seconds. If your code matches 100%, then you have proven that you have access to the TOTP code and are granted access to your account.

These apps are probably the most common method of 2FA since they offer a reasonable balance of security, privacy, and convenience.

TOTP Backup Codes

When you sign up for popular TOTP services such as Google Authenticator, Authy, or LastPass, they may provide you with some backup codes often called “scratch codes”. In the event that your device is somehow lost, stolen, damaged, or just replaced, you have the means to recover your 2FA app on a new device.

FIDO U2F Keys

FIDO U2F stands for Fast IDentity Online Universal 2 Factor and it is becoming a more common means of 2FA online. Rather than relying on an app from a centralized third-party service that is online, FIDO aims to provide 2FA security with a dedicated hardware device that isn’t capable of accessing the internet by itself.

FIDO U2F is usually a small USB device that needs to be plugged in to generate the 2FA code and then access the account. Without the device, you will be unable to access the account so while these offer the highest level of security, they also require a higher level of technical understanding.

FIDO can sometimes even be considered a third layer of authentication since it uses an app but that app requires an additional physical device in order for the app to generate an authentication code.

Multiple Signature Authentication

All of the above methods are for using third-party apps and devices but what about simply using multiple signatures to prevent your bitcoins from being compromised. MultiSig addresses are one of the first security measures that were used in the bitcoin space and to this day it is still very common. As hackers and scammers continue to use increasingly sophisticated attacks against bitcoin users, multisig is growing in popularity as a means of protecting bitcoin.

lnurl-auth

LNURL Auth is a new method of authentication that is being built using the lightning network. Rather than relying on a third party to authenticate, lnurl-auth is a way to use your lightning wallet to verify that you are the owner of an account. In fact, lnurl-auth can be used to act as an entire login for an account so there is no need for both a username and a password. If a site offers the ability to login with lnurl-auth, all you need to do is pair your account with your wallet and then scan a QR code to login each time.

Since lnurl-auth is in infancy, not many services are using it as a means to authenticate yet but as the bitcoin ecosystem continues to grow, we are likely to see more services using bitcoin native protocols for 2FA instead of needing to trust third-party services.