ELI5 Two Factor Authentication - how are authenticator apps more secure than SMS? episode artwork

EPISODE · Jun 14, 2024 · 8 MIN

ELI5 Two Factor Authentication - how are authenticator apps more secure than SMS?

from ELI5 Explain Like I'm 5: Bite sized answers to stuff you should know about - in a mini podcast · host ELI5 Explain Like I'm Five Podcast

How did we go from secret handshakes to digital codes? Explain “something you know, something you have, and something you are”. Where was the first computer password invented? Why are SMS codes considered not that secure? Which former CIA director had their phone compromised via a teenage phone hack? ... we explain like I'm five Thank you to the r/explainlikeimfive community and in particular the following users whose questions and comments formed the basis of this discussion: aschentei, nottherealslash, elskerelks, mazaru , dissentologist and trueeyes To the ELI5 community that has supported us so far, thanks for all your feedback and comments. Join us on Twitter: https://www.twitter.com/eli5ThePodcast/ or send us an e-mail: [email protected]

How did we go from secret handshakes to digital codes? Explain “something you know, something you have, and something you are”. Where was the first computer password invented? Why are SMS codes considered not that secure? Which former CIA director had their phone compromised via a teenage phone hack? ... we explain like I'm five Thank you to the r/explainlikeimfive community and in particular the following users whose questions and comments formed the basis of this discussion: aschentei, nottherealslash, elskerelks, mazaru , dissentologist and trueeyes To the ELI5 community that has supported us so far, thanks for all your feedback and comments. Join us on Twitter: https://www.twitter.com/eli5ThePodcast/ or send us an e-mail: [email protected]

NOW PLAYING

ELI5 Two Factor Authentication - how are authenticator apps more secure than SMS?

0:00 8:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Hey everybody, welcome back to XNNACON5, the podcast where we take questions you always want to ask and talk about in a way that's easy to understand. We are your hosts, I'm Tim. Hi everyone, I'm Kevin. Kevin, today we are talking about passwords and the world of two-factor authentication.

Now we actually did an episode about password and password managers a little while ago, especially on the topic of whether it's a good idea to have a password manager. So if you do like this episode, then once we're done, go back and check out the old ELI-5 password managers episode. But on 2FA and passwords today, let's start with this question. What is the story behind the creation of passwords?

How did we go from secret handshakes to digital codes? Oh man, I mean, passwords have been around for centuries, even used by ancient Romans and during wartimes, a way to verify identity. But how about the first computer password? So that was invented actually at MIT for a time-sharing system.

It was a guy called Fernando Corbado who invented computer password in 1960. And actually, it wasn't long before the first computer password was stolen in 1961. Another MIT PhD candidate named Alan Scher stole it from Corbado, who was his colleague. And Scher stole the password because he wanted more time on the computer.

So from that point on, as hackers got smarter, passwords had to evolve from simple words to complex strings of characters. And now we're even moving beyond passwords with things like biometrics and two-factor authentication. Yes, that's right. There is this concept of something you know, something you have, and something you are.

How does this all play into passwords? Yeah, so that's the golden triangle of authentication. Something you know is usually something like a password or a pin. Something you have could be a mobile device or a security key.

And something you are refers to biometrics, right, like fingerprints or facial recognition. And when you combine these elements, it actually creates a really robust defense against unauthorized access, making it just exponentially harder for attackers to breach your accounts. So that brings us to two-factor authentication, or 2FA, and this is when you've got two sides of that triangle, two prongs of that triangle. Oftentimes when we think of two-factor authentication, practically, we think about SMS messages to prove something that you have on your mobile phone.

But I have heard that SMS-based two-factor authentication isn't all that secure and can be intercepted. Why is that? And what can we do about it? Oh, yeah, it's a really important piece of note.

SMS-based two-factor authentication, while popular, is vulnerable because of something called SIM swap attacks. And what a SIM swap attack is is when a hacker basically convinces your mobile provider to switch your phone number to a SIM card that they own. And so suddenly they're receiving your messages and the codes. And while telecom communities are trying to work on securing this, it's been challenging due to kind of the inherent trust in that customer service process.

Now, a more secure alternative is using something like an authenticator app that generates your codes offline, or even better, using those kind of physical security keys, like those YubiKeys, for example. And these SMSs, though, are generally part of what people call a one-time password, or OTP. But there are also more sophisticated types of one-time passwords as well. So these more sophisticated types of passwords, more sophisticated one-time passwords, is this where time-based codes come into play?

Why are these time-based solutions considered more secure? Yeah, time-based codes work because they're constantly changing, usually every, like, 30 seconds. And this means that even if a hacker were to get your password, they won't have the current code to break into your account. It's kind of like having an ever-changing, you know, second lock that only you can open with your device.

And so this method adds a significant layer of that security because it combines something that you know, which is your password, with something that you have, usually your phone, or something generating that time token. These have the acronym TOTP for time-based one-time passwords. And they're a pretty brilliant evolution in the whole authentication process. And so since these passwords are generating an algorithm that factors into current time, this makes them valid for only a short window.

So thus, even if a TOTP is intercepted, it's useless to a hacker within minutes. It's a dynamic solution to the static problem of traditional passwords and, you know, kind of a moving target to the security landscape. So how is it that an authenticator app actually works then? There's quite a few of them, but they all work in the same way.

Yeah, yeah, they're really useful. When the account is first added to your 2FA code generator app, what happens is the secret value is shared with the code generator, often by scanning like QR code. But then basically a whole bunch of math is performed on that secret and the current time to output a specific length of code. And since the remote server and code generator both know that original secret setup, they both know what code should be associated with the current time.

And so this is also why they also work offline. Now, there was a high-profile hacking incident involving the former CIA director, I believe. What did that teach us about personal cybersecurity? And maybe you can explain that story.

Mm-hmm, yeah. In 2015, the former director of the CIA, John Brennan, had his email breached by a teenager through basically calling Verizon customer support and pretending to be a Verizon technician. And so that incident was a stark reminder that, you know, no one's really immune to cyber threats, not even the head of the CIA. It underscored the importance of robust personal cybersecurity practices like using complex unique passwords for different accounts, enabling 2FA wherever possible, and just generally being vigilant about phishing attempts.

It's really a call to action for everyone to take their digital security much more seriously. Well, thanks, Kevin. That's a good reminder. So everyone, use a password manager.

And in the meantime, keep your passwords complex and your authentication factors multiple. Did you learn something new? If you did, send us an email. We are at eli5thepodcasts at gmail.com.

We love hearing from you, especially when you've got comments and suggestions for us. If you are a regular listener of this podcast, please do take the time to leave us a rating or a review on Apple Podcasts or on Spotify because it does help other people to find our podcast. As always, thanks to the community at r slash Xxxxx5, and we will see you all next week.

Frequently Asked Questions

How long is this episode of ELI5 Explain Like I'm 5: Bite sized answers to stuff you should know about - in a mini podcast?

This episode is 8 minutes long.

When was this ELI5 Explain Like I'm 5: Bite sized answers to stuff you should know about - in a mini podcast episode published?

This episode was published on June 14, 2024.

What is this episode about?

How did we go from secret handshakes to digital codes? Explain “something you know, something you have, and something you are”. Where was the first computer password invented? Why are SMS codes considered not that secure? Which former CIA director...

Is there a transcript available for this episode?

Yes, a full transcript is available for this episode. You can read the complete transcript on the episode page.

Can I download this ELI5 Explain Like I'm 5: Bite sized answers to stuff you should know about - in a mini podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!