In-depth

What is two-factor authentication?

Passwords aren't secure; it's time to add multi-factor authentication

As cyber attacks become increasingly prevalent and dangerous, protecting your own information should be a top priority.

Cyber crime is already an epidemic, with attacks across the globe expected to cost businesses, public bodies and people around 4.5 trillion by 2021, research conducted by Cybersecurity Ventures suggests.

While many of those costs will relate to the financial burden of safeguarding data for businesses, and fines for failing to do so, hackers are after your personal information too: phishing scams stealing your credit card data, or bank accounts passwords, are incredibly costly if they succeed.

Advertisement - Article continues below

That makes password hygiene essential. A cyber criminal who manages to steal your login credentials via a leak on one website can access your accounts on any other websites or services where you've used those same details. While it's convenient for us to remember a limited set of passwords, re-using these across our social media profiles, bank accounts and email is a hacker's dream.

While backup questions like 'what's your mother's maiden name?' or the name of your childhood pet are often available for those who forget their passwords, these are easy to guess via a quick trawl of your social media profiles. You have to make yourself harder to hack if you want to avoid a lot of cost and pain.

Advertisement
Advertisement - Article continues below

Luckily, there's a better way. Implementing multi-factor authentication makes your account infinitely harder to hack by introducing a second element to the login process. This second step might seem like an irritating and unnecessary extra hoop to jump through, but in fact, there are some really convenient ways of doing it, and if it saves your bacon from hackers, then the additional few seconds spent logging into your email are going to be worth it.

What is two-factor authentication? 

Also known as multi-factor authentication or two-step verification, two-factor authentication is a fairly straightforward process of confirming your identity twice before access is granted to an account or service.

Advertisement - Article continues below

Broadly speaking, authentication falls into three categories: knowledge factors, possession factors and inherent factors. Knowledge normally means something the person has to remember, like a PIN or password, while possession means a secondary device, like a key fob, card reader or smartphone.

Inherent factors, on the other hand, use a person's unique attributes, which are typically biometrics like a fingerprint, iris or retina scanning, or voice recognition. This is less common in general life and business but can be seen in more high-security situations as the second or subsequent level of authentication.

Two-factor authentication uses two of these methods (or more in the case of multi-factor authentication) in order to verify the identity of the person attempting to access an account more thoroughly than a single factor can, with knowledge and possession factors being the most commonly used, leading to the mantra "something you know and something you have".

How does two-factor authentication work?

Two-factor authentication invariably uses a second device that acts as a buffer between a service and a login attempt. This can be anything from a number-generating key fob to a smartphone, with the idea being that only the owner of the associated device is able to provide the additional information needed to sign in.

Two-factor authentication is an option for a wide range of services today, whether it be Google or Microsoft accounts, accessing your work's network or content management system, or confirming online purchases.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The additional security check normally appears after a user has inputted their username and password. A system will first validate that the account exists, and, if it's flagged for two-factor authentication, will then prompt the user to perform an additional action. This is done either through a third-party provider, such as Duo Security, or as part of a company's internal checks, such as Google.

The action that users need to perform as part of the additional check can vary between services. They may be required to press 'approve' on a push notification sent to their smartphone, use a random number generator, or input a unique PIN sent via text message.

For example, most banks now have dedicated tokens or random number generators as part of their mobile applications, which are required each time a user wants to access their account in full. Online payments firm PayPal now has a security check that sends a text message with a unique code to a user's smartphone whenever a payment is made.

Advertisement - Article continues below

If the additional action is performed correctly, you're then given access to the account. It can be the slowest part of signing into a service, however, it's an effective way of sifting out those trying to brute force their way into an account.

Is two-factor authentication safe?

Despite the benefits it offers, it's worth noting that multi-factor authentication is not 100% secure.

Authentication via text message is vulnerable to interception and spoofing by hackers, particularly if they can hijack an account that supports a person's mobile number.

Various account-recovery processes for lost passwords can be harnessed by hackers to work around two-factor authentication as well.

And sophisticated malware that has infected computers and mobile devices can redirect authentication messages and prompts to a device belonging to a hacker, rather than the legitimate account holder, thereby working within but also around two-factor authentication.

The most secure methods of two-factor authentication use dedicated hardware tokens, which are difficult for hackers to spoof unless they steal one directly from someone. On the flip side, two-factor authentication reliant on SMS is probably best avoided if you are running an enterprise with a treasure trove of data.

Advertisement - Article continues below

While two-factor authentication may not be quite the security silver bullet it was once expected to be, it's still an important area of security and access control to keep in mind when procuring and setting up services for your business or personal life, because the more hurdles you can put in the hackers way, the less likely they are to target you.

Picture credit: Bigstock

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020
Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020

Most Popular

Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020
Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/security/cyber-security/355271/microsoft-gobbles-up-corpcom-domain-to-keep-it-from-hackers
cyber security

Microsoft gobbles up corp.com domain to keep it from hackers

8 Apr 2020