The Buzz Surrounding Two-Factor Authentication
Gone are the days when you can get away with using password123 as a password. In fact, seemingly strong passwords — using a string of letters and numbers like forming your birthday — aren’t enough to keep data safe.
Here’s a great example of weak passwords and how vulnerable everyone is to leaking this information.
Let’s talk about taking your cybersecurity game to the next level.
What Is Two-Factor Authentication?
2FA is also known by other names such as two-step authentication and login verification. In addition to a password, it uses one other method to verify a user’s identity, making it more difficult for an imposter to access an account.
A variety of specific 2FA methods are available, but they all use some type of identification that’s completely separate from the user’s standard password. These methods include one-time passwords, QR codes, hardware tokens, and other verification codes.
Why Bother Enabling Two-Factor Authentication?
Passwords are vulnerable. Hackers can use modern tools to test billions of passwords every second, allowing them to crack 90% of all passwords within six hours.
That’s why more advanced companies are turning to 2FA. But not everyone is on board with it. Here’s why.
A 2016 joint study by the University of Maryland and Johns Hopkins University clearly shows that 2FA is a misunderstood and underappreciated security tool.
Around six out of ten respondents said they didn’t use 2FA because they had never heard of it or never been prompted to use it.
Almost three in ten said they don’t use 2FA on their smart devices — typically citing inconvenience and lack of privacy concerns as their reasons for not adopting it.
Some respondents also said they had negative experiences with 2FA, and a few simply saw no value in it.
The researchers of the study concluded that lack of information was the root cause of 2FA’s poor adoption.
How 2FA Works
An authentication factor is any method of verifying your identity to a computer system that allows you to gain access to that system. Passwords certainly meet this definition, but other information does as well. Authentication factors can generally be classified into the following categories:
- Something you know
- Something you have
- Something you are
The two authentication factors used in 2FA must belong to different categories since factors in the same category share the same weaknesses. One of the factors is a password, which is something you know. The other factor, then, should be something you have or something you are.
Knowledge-based authentication uses a security question as the second factor, but it isn’t true 2FA.
Passwords and security questions are both things that you know, so knowledge-based authentication involves backing up something you know with something else you know. The security question is just another password that an attacker can learn, usually with greater ease than cracking your primary password.
The Second Factor: Getting It Right
Tom’s Guide lists all 2FA methods that you can implement in your organisation. We’re grouping them based on the safety of the non-password authentication factor.
Least Safe 2FAs
These include texted or voice-called codes, which are temporary code sent to you as a text message or automated phone call.
These factors aren’t secure because they aren’t encrypted and are associated with your phone number rather than a specific device. So they can be intercepted by anyone who has changed your phone account to forward calls to their number.
These include push codes, code-generating hardware tokens, and authenticator apps.
A push code is a temporary code transmitted over a secure internet instead of a phone line, but it’s otherwise similar to a texted or voice-call code.
Code-generating hardware tokens are dedicated devices that generate their temporary authentication codes at frequent intervals.
They’ve been largely replaced by code-generating authenticator apps that use smart devices to generate these codes.
Push approvals allow you to authenticate yourself by simply pressing a button on your smart device. They’re safer than push codes because they’re associated with a particular device rather than a phone number.
Specific companies like Microsoft, Yahoo, and Google use push approvals for their apps, but third parties like Authy and Du Mobile offer push approvals for various mobile services.