Two-factor authentication # 2FA

In this article we will address the topic of two-factor authentication and for this it is strongly recommended on exchanges.

The first factor, common in many sites, is the insertion of username and password. Password protection is usually strengthened by the choice of complex passwords and blocking of users after some exact attempts. In this way both brute force attacks are countered, where basically there are programs that try to guess the password by making a large number of attempts.

But there is a type of attack that makes the use of this factor unsafe and is the men in the middl e. Banally there is the way to intercept the username and password of the user (eg on a virus on the computer) and then use it later. To overcome this problem there is the use of a second factor.

The otp (one time password) via SMS, or a code that arrives via sms to be used only once, is a possible second factor proposed by many exchanges (eg coinbase). It is due to the fact that the otp that arrives via sms can be used only once and after a few tens of seconds it becomes unusable.

The problem with this second factor is that on current smartphones there are several applications that have the permission to read text messages. Side by side with the user and password is certainly safer but does not completely eliminate the problem of men in the middle.

A second more secure factor is that given by the opt directly generated on a device, such as the one provided by Google Authenticator . In this case the otp is generated on a secure application where only the user can read it. Also in this case the code expires after a few tens of seconds.

With Google authenticator the problem man in the middle is not completely eliminated, because however the otp must be typed and travel on the internet, but the risk becomes reduced: the evildoer must intercept the otp while it is typed (or while it is sent via internet) and should use it quickly before it expires or is consumed by the user. Therefore, the time available to the evildoer to steal the otp and use it instead of the user becomes really minimal.

In the context of trading, these second factors are often only included when you log in or transfer funds out of the exchange. To avoid slowing down trading are not required on individual trading transactions.

In the banking sector, to reduce or almost eliminate the problem in the middle, under the European regulation # PSD2 a second, even more secure factor is being introduced: the signing of the transaction .

In case of signature of the transaction the code that is generated is linked to the single transaction and can not be used for different transactions even if intercepted. So if I create a code, relative to the move of 1btc to the wallet A, even intercepting the code I can not use it to move 1btc to the B wallet. It is therefore much safer.