There has been an increase in the use of Two-Factor Authentication for online accounts, so in this month’s blog post we are going to look at what exactly Two-Factor Authentication (2FA) is, why we have it, and how we use it.
What is 2FA? 2FA adds an additional layer of protection to your online accounts that strengthens access security by requiring two methods (also referred to as authentication factors) to verify your identity. Basically, when you log into an account (your email or your online bank or your medical records or even your social media account), instead of just putting in your username and password (single factor authentication) you must complete a second step to authenticate that it is really you and not some crook trying to steal your identity and your money. It’s a way of protecting yourself with something that is stronger than just a password. That extra level of security is Two-Factor Authentication.
Why do we need 2FA? Passwords are historically bad, and usernames and passwords remain the most common form of user authentication. The password is supposed to be something only you know while being difficult for anyone else to guess. And while using passwords is better than having no protection at all, they’re not foolproof. Let’s look at the reasons why.
- Humans have lousy memories. A recent report looked at over 1.4 billion stolen passwords and found that most were embarrassingly simple. Among the worst are “111111,” “123456,” “123456789,” “qwerty,” and “password.” While these are easy to remember, any decent hacker could crack these simple passwords in no time. If you want to check how strong your password is you can test your password at “How Secure Is My Password.”
- Too many accounts. As users get more comfortable doing everything online, they open more and more accounts. This eventually creates too many passwords to remember and paves the way for a dangerous habit: password recycling. Here’s why hackers love this trend: it takes just seconds for hacking software to test thousands of stolen sign-in credentials against popular online banks and shopping sites. If a username and password pair is recycled, it’s extremely likely it’ll unlock plenty of other lucrative accounts.
- Security fatigue sets in. To protect themselves, some consumers try to make it harder for attackers by creating more complex passwords and passphrases. But with so many online accounts like banking, email, social media, video streaming services, shopping, and more, many people just give up and fall back to using weak passwords across multiple accounts.
How does 2FA work? 2FA is actually very simple once you understand it. As we stated before, 2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access to the account, they will be required to provide another piece of information. This second factor could come from one of the following categories:
- Something you know. This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern.
- Something you have. Typically, a user would have something in their possession, like a smartphone.
- Something you are. This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print.
With 2FA, a potential compromise of just one of these factors won’t unlock the account. So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information is highly unlikely.
So how do I get the second authentication when I’m using 2FA? There are several ways to use 2FA. Without going into great detail we are going to look at just a few.
- SMS Text-Message and Voice-based 2FA. SMS-based 2FA interacts directly with a user’s phone. After receiving a username and password, the site sends the user a unique one-time passcode (OTP) via text message. The user must then enter the OTP back into the application before getting access. Similarly, voice-based 2FA automatically dials a user and verbally delivers the 2FA code which the user must then enter to gain access.
- Software Tokens for 2FA. First, a user must download and install a free 2FA app on their smartphone or desktop. They can then use the app with any site that supports this type of authentication. At sign-in, the user first enters a username and password, and then, when prompted, they enter the code shown on the app. This code is typically valid for less than a minute, and because the code is generated and displayed on the same device, it removes the chance of hacker interception.
- Push Notification for 2FA. Rather than relying on the receipt and entry of a 2FA token or OTP, websites and apps can now send the user a push notification (something similar to a text message) that an authentication attempt is taking place. The device owner simply views the details and can approve or deny access with a single touch. It’s password-less authentication with no codes to enter, and no additional interaction is required.
- Biometric 2FA. This authentication treats the user as the token. Recent innovations include verifying a person’s identity via fingerprints, retina patterns, facial recognition, and vocal prints. For example, some on-line banks have mobile apps where you can access your account via your phone or tablet. After entering your user name and password the app will ask you to read a statement out loud and it records your voice reading the statement. It then checks it against the version you recorded when you first set up the app and if it is truly you, you get access to your on-line account.
Now that you know what 2FA is and how it works you can now use it when you encounter a website or app that wants you to use it. Yes, it is an additional step to get to your account, but it is better to have an extra lock on the door than a weak one or no lock at all.