Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
A good example of two-factor authentication is the withdrawing of money from an ATM; only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.
Two other examples are to supplement a user-controlled password with a one-time password (OTP) or code generated or received by an authenticator (e.g. a security token or smartphone) that only the user possesses.
Rise in Cybercrime Requires Stronger Security With 2FA
In recent years, we’ve witnessed a massive increase in the number of websites losing personal data of their users. And as cybercrime gets more sophisticated, companies find their old security systems are no match for modern threats and attacks. Sometimes it’s simple human error that has left them exposed. And it’s not just user trust that can be damaged. All types of organizations—global companies, small businesses, start-ups, and even non-profits—can suffer severe financial and reputational loss.
For consumers, the after-effects of targeted hack or identity theft can be devastating. Stolen credentials are used to secure fake credit cards and fund shopping sprees, which can damage a victim’s credit rating. And entire bank and cryptocurrency accounts can be drained overnight. A recent study revealed that in 2016 over $16 billion was taken from 15.4 million U.S. consumers. Even more incredible, identify thieves stole over $107 billion in the past six years alone.
Clearly, online sites and apps must offer tighter security. And, whenever possible, consumers should get in the habit of protecting themselves with something that’s stronger than just a password. For many, that extra level of security is two-factor authentication.
Passwords: Historically Bad But Still In Use
How and when did passwords get so vulnerable? Back in 1961, the Massachusetts Institute of Technology developed the Compatible Time-Sharing System (CTSS). To make sure everyone had an equal chance to use the computer, MIT required all students to log in with a secure password. Soon enough, students figured out that they could hack the system, print out the passwords, and hog more computer time.
Despite this, and the fact that there are much more secure alternatives, usernames and passwords remain the most common form of user authentication. The general rule of thumb is that a password should be something only you know while being difficult for anyone else to guess. And while using passwords is better than having no protection at all, they’re not foolproof. Here’s why:
- Humans have lousy memories. A recent report looked at over 1.4 billion stolen passwords and found that most were embarrassingly simple. Among the worst are “111111,” “123456,” “123456789,” “qwerty,” and “password.” While these are easy to remember, any decent hacker could crack these simple passwords in no time.
- Too many accounts: As users get more comfortable with doing everything online, they open more and more accounts. This eventually creates too many passwords to remember and paves the way for a dangerous habit: password recycling. Here’s why hackers love this trend: it takes just seconds for hacking software to test thousands of stolen sign-in credentials against popular online banks and shopping sites. If a username and password pair is recycled, it’s extremely likely it’ll unlock plenty of other lucrative accounts.
- Security fatigue sets in: To protect themselves, some consumers try to make it harder for attackers by creating more complex passwords and passphrases. But with so many data breaches flooding the dark web with user information, many just give up and fall back to using weak passwords across multiple accounts.
2FA To The Rescue
2FA is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. This second factor could come from one of the following categories:
- Something you know: This could be a personal identification number (PIN), a password, answers to “secret questions” or a specific keystroke pattern
- Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token
- Something you are: This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print
With 2FA, a potential compromise of just one of these factors won’t unlock the account. So, even if your password is stolen or your phone is lost, the chances of a someone else having your second-factor information is highly unlikely. Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity, and unlock the account.
Hardware Tokens for 2FA
Probably the oldest form of 2FA, hardware tokens are small, like a key fob, and produce a new numeric code every 30-seconds. When a user tries to access an account, they glance at the device and enter the displayed 2FA code back into the site or app. Other versions of hardware tokens automatically transfer the 2FA code when plugged into a computer’s USB port.
They’ve got several downsides, however. For businesses, distributing these units is costly. And users find their size makes them easy to lose or misplace. Most importantly, they are not entirely safe from being hacked.
SMS Text-Message and Voice-based 2FA
SMS-based 2FA interacts directly with a user’s phone. After receiving a username and password, the site sends the user a unique one-time passcode (OTP) via text message. Like the hardware token process, a user must then enter the OTP back into the application before getting access. Similarly, voice-based 2FA automatically dials a user and verbally delivers the 2FA code. While not common, it’s still used in countries where smartphones are expensive, or where cell service is poor.
For a low-risk online activity, authentication by text or voice may be all you need. But for websites that store your personal information — like utility companies, banks, or email accounts — this level of 2FA may not be secure enough. In fact, SMS is considered to be the least secure way to authenticate users. Because of this, many companies are upgrading their security by moving beyond SMS-based 2FA.