ndax logo

Advanced Security Systems with 2FA

Oct 07, 2019
byNDAX Labs

Advanced Security Systems with 2FA

It can be an absolute nightmare if a hacker or other malicious actor gains access to someone else’s user accounts without their permission.

As people grow increasingly attached and dependant on internet services such as email and social media, the risk of having these accounts compromised has never been more critical. As a professor said to me recently, “If you lose control of your email, you can lose absolutely everything.” 2-Factor Authentication (2FA) is an important security tool that makes it more difficult for unauthorized users to hijack accounts to steal sensitive and personal information. Using a 2FA system, user’s accounts have an added layer of security compared to only using usernames and passwords for protection.

2FA is a method of confirming a user’s digital identities and online accounts by using a combination of two different authentication factors. According to Search Security, authentication factors include:

  • A knowledge factor. Something the user knows, such as a password, a PIN, or some other type of shared secret.
  • A possession factor. Something the user has, such as an ID card, a security token, a smartphone, or other mobile devices.
  • An inherence factor, more commonly called a biometric factor. Something inherent in the user's physical self. These may be personal attributes mapped from physical characteristics, such as fingerprints authenticated through a fingerprint reader; other commonly-used inherence factors include facial and voice recognition. It also includes behavioral biometrics, such as keystroke dynamics, gait, or speech patterns.
  • A location factor, usually denoted by the location from which an authentication attempt is being made, can be enforced by limiting authentication attempts to specific devices in a particular location, or more commonly by tracking the geographic source of an authentication attempt based on the source IP address or some other geolocation information derived from the user's mobile phone or other device such as GPS data
  • A time factor restricts user authentication to a specific time window in which logging on is permitted and restricting access to the system outside of that window.

Withdrawing money from an ATM is an example of 2FA. Only a correct combination of a bank/debit card (something in the user's possession) and a PIN (something only known by the user) allows the transaction to be completed. Usernames and passwords can be supplemented using a one-time password or code generated by an authenticator (e.g., a smartphone) that only the user possesses (Wikipedia, 2019).

With regards to 2FA on smartphones, Wikipedia says, “Two-step authentication involving mobile phones and smartphones provides an alternative to dedicated physical devices. To authenticate, people can use their personal access codes to the device (i.e., something that only the individual user knows) plus a one-time-valid, dynamic passcode, typically consisting of 4 to 6 digits. The passcode can be sent to their mobile device by SMS or can be generated by a one-time passcode-generator app. In both cases, the advantage of using a mobile phone is that there is no need for an additional dedicated token, as users tend to carry their mobile devices around at all times.”

Smartphones becoming the popular method for 2FA delivery has led many 2FA authenticators to offer their services on an app, making account break-ins considerably more difficult than relying on passwords only. Apps such as Authy and Google Authenticator are both available for iOS and Android devices. Authy is also available for Windows, the Apple Watch and desktop devices, whereas Google Authenticator is only available for mobile devices. Check out our tutorial on setting up the Authy App for 2FA on the NDAX website.

Authy and Google Authenticator both generate a time-dependant (usually using a 30-second window) six-digit code that a user enters after they have submitted their username and password. Authy offers multiple-device functionality, whereas Google Authenticator limits its use to a single device.

When a device is stolen or replaced, Authy 2FA tokens automatically sync to newly authorized devices. Authy also offers encrypted backups in the cloud. However, backups are optional. Google Authenticator requires users to deauthorize their old device before authorizing a new one. Google also requires that user’s update their synced accounts manually when switching to a new device.

Authy offers three distinct delivery methods that can be used to generate 2FA codes. One-Time Passcode delivers SMS or voice call 2FA protection. This delivery method is the least secure of the three methods, but it is the method with the broadest global reach. It provides much better security than only using a username and password alone.

The second delivery method is Soft Token Time-Based One-Time passwords that can generate passcodes even when a device is not connected to a cellular or data network. The third method is push authentication, considered to be the most secure and user-friendly way to deliver 2FA.

At NDAX, we have implemented Two-Factor Authentication (2FA), which is a mandatory authentication process. This provides an additional layer of security to our users when they log on to our site and perform activities such as withdrawing funds.

NDAX also offers the security of receiving an email each time a user’s account has been logged into. The email will contain information about the IP of the authenticated user. If you did not log in to your account then please contact customer service.

Other valuable security tools available at NDAX,

• Detect IP Address Change.

• IP Address Whitelist.

• Login History.

• API Key permissions.

• Email Encryption with OpenPGP.

If you are based in Canada and looking for a Canadian Bitcoin exchange, then take a look at  NDAX. NDAX is an easy-to-use, beginner-friendly exchange that can give you easy access to trade Bitcoin and other cryptocurrencies like Ethereum, Ripple, Litecoin, Cardano, Dogecoin, EOS and Stellar.