Before moving on and talking about what I did, I have to say that in the past years there have been two common techniques used by developers to prevent dictionary attacks that are used either independently or in combination with each other:

·       CAPTCHA validation: Many websites implement some kind of CAPTCHA control that forces the user to enter the text displayed in an image if he fails to log into a website after a few attempts. This prevents automated dictionary attacks, but it has two big issues: first, it has a very bad impact on the usability of the site, and second, it is vulnerable to image processing techniques to parse the image and automatically detect the text in order to continue the dictionary attack.

·       Failed login attempt threshold: The other common mechanism is to store the number of failed login attempts and prevent the user to log into the site for a duration of time (e.g., 10 minutes) even if he provides the correct username and password combination. This method that I’ve used in some projects looks more promising than the CAPTCHA controls but has one weakness: it cannot prevent those types of attacks that are testing a combination of usernames and passwords together. In other words, the hacker may be able to find some valid usernames on the site that he can use for bad purposes later.

Although these two methods are very powerful in practice, they’re still vulnerable to different situations. If the user loses his password and somebody has the password, he can easily get access to the account. For some websites, this is not very critical, but for some sites and services this is a very dangerous situation. For example, a GMail user who has used his account for several years to store all his information and has put all his eggs in one basket may lose many things in his life by having his GMail account compromised!

And this is why Google implemented the 2-step verification mechanism on GMail accounts, and Microsoft also added a similar feature to the Live accounts. Previously, Facebook had a lighter form of this technique by informing a user via SMS whenever his or her account was accessed by somebody.

Essentially, this 2-step verification (that may be called with different names like two-step verification or phone verification as well) is one of different types of two-factor authentication (TFA) that tries to use text messaging in order to verify accesses to an account. This can be as simple as notifying a user that his account is accessed by a specific IP address at a specific time, or it can be more complex by requiring the user that he enters a code that is sent to his phone in order to confirm his identity when logging in.

Generally, the goal of 2-step verification is to use the cell phone number of a user to make sure that accesses to an account are legitimate, and the motivation behind this technique is that nowadays almost everybody is using a cell phone and he’s carrying that everywhere. Even if a password is compromised by some tricks, it is very hard to have access to somebody’s mobile phone unless it is physically stolen.

I believe that a 2-step verification is a vital part of some sites like banks, domain registrars, DNS managers, and site hosting services, especially the cloud-based solutions, because a chain is as weak as its weakest link, and if one part of the chain that makes a site is compromised, the whole site is compromised!