What is 2FA ?
Two Factor Authentication (2FA) sometimes called two-step verification or multi-factor authentication (MFA) is an authentication process. In this process, the user has to provide two factors in order to gain access to the resources.
Two-factor authentication (2FA) validates user identity with passwords and an additional layer of authentication like a security token or a biometric factor. miniOrange provides 15+ authentication methods to fit every need. OTP over SMS and Email, Mobile Authentication, Phone Verification these are some of our popular
Passwords are everywhere, we use them to access our money, our communication, and even our social lives. At first, we used one password for everything but that wasn’t good enough so we started making our passwords more complicated with a combination of numbers, uppercase/lowercase letters & even special characters.
Some people even use password managers to organize dozens or hundreds of unique passwords. But no matter how complex your password or the password management system is, it is never enough to prevent account takeover because all it takes is one simple phishing email or database breach and your password is out in the world. So, if passwords are impossible to protect, how do you protect your account ?
That’s where two-factor authentication comes in. Two Factor Authentication or 2FA adds another method of identity verification in order to secure your accounts.
- First thing you know – Your username and password.
- Something unique that you have – Your phone or fingerprint.
By combining your username and password with the second method your access becomes more secure and impossible for an attacker to pass it even if they have your password.
How does Two Factor Authentication (2FA) Works ?
The most common 2FA systems use the unique One Time Passcode also commonly known as OTP with every login attempt that you make. This OTP is tied with your account and generated by an authenticator app on a smartphone or sent to you by SMS or email.
miniOrange also provides a more modern and secure form of 2FA which is “Push notification” on your smartphone. A push notification is sent to your registered smartphone and in order to gain access to your account, you have to approve that notification.
The authentication process using Two Factor Authentication (2FA), takes place in the following steps:
- User navigates to the application login page. For instance www.example.com/login.
- User enters a username and password. This is called the first factor of authentication. When a user submits the login credentials it is checked whether the user exists in the database.
- If the login credentials match with the user the second factor of authentication is shown to the user. E.g. Pop up asking for OTP sent over SMS /Email
- When the user enters the second factor like OTP or Push notification it is checked against the database system if the second factor is correct.
- After successfully completing the second-factor user is granted access to the system.
Two Factor Authentication (2FA) Methods
miniOrange supports a variety of methods for Two Factor Authentication (2FA). We support following authentication methods that ensure you to have secure access to your site.
- OTP Over SMS
- Out of Band SMS
- Google Authenticator
- Mobile Authentication
- Push Notification
- Soft Token
- OTP Over Email
- Out of band email
- Display Hardware token
- Yubikey hardware token
- Security Questions
- Phone verification
- Voice verification
Two Factor Authentication (2FA) Use Cases
There are multiple use cases where two-factor authentication is used. miniOrange provides the solution for various use cases, some of them are, Two Factor Authentication (2FA) for VPN login, Two Factor Authentication (2FA) for Stripe and Two Factor Authentication (2FA) for office 365 using Yubikey.
- Two Factor Authentication (2FA) for VPN login:
miniOrange provides Two Factor Authentication (2FA) on top of VPN Authentication. This secures the access to protected resources instead of relying on only the VPN username & password. To accomplish this miniOrange uses the RADIUS Protocol.
RADIUS stands for Remote Authentication Dial-In User Service, it is a client/server protocol that provides client authentication and authorization.
RADIUS server is responsible for authenticating the users, while RADIUS clients are nothing but the Network Access Servers (NAS) which authenticate users with RADIUS servers and based on responses from RADIUS server grants/denies the access.
The Two Factor Authentication (2FA) for VPN login takes places as shown in the above figure. If you take a look at the steps below you will get a clear understanding of how it happens.
- The user enters the login credentials to the VPN.
- RADIUS Clients sends the login details to the miniOrange RADIUS server.
- User details are checked with Active Directory.
- When the AD finds the user it sends the response to the miniOrange RADIUS server. First-factor authentication is completed here.
- A challenge response is sent to RADIUS clients for second Factor Authentication.
- RADIUS client prompts the user with 2FA challenge. (e.g.OTP over SMS/Email).
- When the user validates himself with 2FA. The authentication response is sent to the miniOrange RADIUS server.
- After checking the response RADIUS server grants access to the user.
- Integrating 2FA/OTP Verification for Payment Gateways:
On 14 September 2019, new requirements for authenticating online payments will be introduced in Europe as part of the second Payment Services Directive (PSD2).
All online businesses will have to ensure they’re compliant with the Payment Services Directive 2 (PSD2) legislation. The EU directive mandates that any online transaction over €30 requires Strong Customer Authentication (SCA).
To meet new EU regulations, payment gateways/businesses will need to build an extra layer of authentication (2FA) into online card payments.
miniOrange has helped many businesses and payment gateways to integrate 2FA or MFA in their applications. We provide access to our 2FA APIs with which 2FA can be integrated into any application very quickly without much effort.
Payment gateways that operate in Europe like SecurionPay, Skrill, Stripe, PayU, Authorize.Net, Amazon Pay, PayPal will be enforcing Strong Customer Authentication (SCA) very soon.
- Yubikey as a 2FA Method for Microsoft Office 365:
Microsoft provides 2FA / MFA only via their default application with limited 2FA methods and you can not configure any additional 2FA authentication method.
If you are looking to use Yubikey or any other hardware token as an authentication method while accessing Office 365, it is supported with miniOrange and can be integrated quickly.
miniOrange allows you to use Yubikey (or any other method from 15+ available 2FA methods) as the 2nd factor to login into your Office 365.
Benefits Of 2FA
When Two Factor Authentication (2FA) enabled on your system, it prevents an attacker from accessing the resources even though they know your username and password. As you have an additional layer of authentication attacker has to pass that layer which is not possible.
- Enhanced security: By requiring the second factor of identification, Two Factor Authentication (2FA) decreases the chances that an attacker can mimic a user and can gain access to the system. miniOrange Two Factor Authentication (2FA) solution allows users to log in using Username and OTP thus, preventing the need to enter Password.
- More productivity and flexibility Organizations are accepting mobility as it helps in increasing productivity. With mobile 2FA employees can securely login and access corporate applications and resources from virtually using any device and from any location, without putting the company network to the risk.
- Fraud Prevention: Two Factor Authentication verifies you are who you say you are before letting you move forward. It prevents unauthorized access to your website by providing an additional layer of authentication.