You might not realize it, but you regularly use two-factor authentication. When you swipe your debit card and are asked to enter your PIN code or write a check and are asked to show your driver’s license? Each is a form of two-factor authentication. The first example requires you to possess your card and know your PIN code. The second requires you to possess your checkbook and prove your face matches the mugshot on your ID.
Two-factor authentication requires two ways of proving your identity and can also be used to protect your various online accounts. It doesn’t offer perfect security and requires an extra step when logging into your accounts, but it does make your data more secure online.
How does two-factor authentication work online?
Two-factor authentication (2FA) — also known as two-step verification or multifactor authentication — is widely used to add a layer of security to your online accounts. The most common form of two-factor authentication when logging into an account is the process of entering your password and then receiving a code via text on your phone that you then need to enter. The second layer in two-factor authentication means a hacker or other nefarious individual would need to steal your password along with your phone in order to access your account.
There are three types of authentication:
- Something you know: a password, PIN, zip code or answer to a question (mother’s maiden name, name of pet, and so on)
- Something you have: a phone, credit card or fob
- Something you are: a biometric such as a fingerprint, retina, face or voice
How does the second factor work?
After you enter your password — the first authentication factor — the second factor usually arrives by SMS. That is, you’ll get a text with a numerical code that you’ll then need to enter to log into your account. Unlike a PIN code for a debit card, a 2FA code is used only one time; each time you log into that account, you’ll be sent a new code.
Alternatively, you can use a dedicated authentication app to receive codes instead of having them texted to you. Popular authentication apps are Google Authenticator, Authy and DuoMobile.
Should I use SMS or an app?
Many sites and services, including Amazon, Dropbox, Google and Microsoft, give you the option of using SMS or an authentication app. Twitter is the biggest example of a site that forces you to use SMS. If you have the choice, use an authentication app.
Receiving codes via SMS is less secure than using an authentication app. A hacker could intercept a text message or hijack your phone number by convincing your carrier to transfer it to another device. Or if you sync text messages with your computer, a hacker could gain access to SMS codes by stealing your computer.
An authentication app has the advantage of not needing to rely on your carrier; codes are sent to your phone based on this shared secret and the current time. Codes expire quickly, usually after 30 or 60 seconds. Since an authentication app doesn’t need your carrier to transmit codes, they will stay with the app even if a hacker manages to move your number to a new phone. An authentication app also works when you don’t have cell service, another bonus.
Using an authentication app requires a little extra setup but offers better protection than SMS. To set up an authentication app, you will need to install the app on your phone and then set up a shared secret between the app and your accounts. This is usually done by scanning a QR code with your phone’s camera. Once set up, however, an authentication app saves you the step of needing to enter a code; you simply tap on the app’s notifications to log into one of your accounts.
Will 2FA make my accounts more secure?
No security product can claim to offer perfect, foolproof protection, but by combining two of the above three types of authentication, 2FA makes it harder to get into your account. You not only make your accounts more difficult to attack, but you also make your accounts less attractive targets.
Think of it in terms of home protection. If you have a home security system, you lower the odds of a burglary. If you have a loud, large dog, you also lower the odds of a burglary. If you combine a security system with a big dog, then your house becomes even more difficult to break into and a less attractive target. Most burglars will simply find an easier mark — one without an alarm and the potential for a dog bite.
Similarly, two-factor authentication prevents a large portion of hackers from targeting your account; many will simply move on and find easier accounts to break into. And should they target you, they’ll need more than just your password. In addition to your password, a hacker would need to also have your phone — or gain access to the tokens placed on your phone by the authentication mechanism via a phishing attack, malware or activating account recovery where your password is reset and 2FA is then disabled. That’s extra work.
Feel free to contact E-SPIN for multi-factor authentication infrastructure and application security, infrastructure availability and performance monitoring solution.