Two Factor Authentication, or 2FA as many call it, is the latest buzz word when it comes to adding additional layers of security to your online accounts. But have you ever thought to yourself what is Two Factor Authentication? In this article I intend to go over what 2FA is, what it does, and why you should probably be using it. You never know, you may even learn a thing or two along the way. 🙂
What Is Two Factor Authentication?
Let’s start with the basics – authentication is the method of proving that you are entitled to have access to a particular resource. That resource could be a computer, server, online account, or something like a folder share. The most common type of authentication that many of us use every single day, is the tried and not so trusted, username and password. What 2FA does is add an additional layer of authentication to the normal username and password, in order to make unauthorised access to that resource exponentially more difficult.
The 2FA Concept
The basic concept of 2FA can come under a number of categories, such as:
- Something you know – for example a username and password.
- Something you have – like a phone with an app, or a hardware token.
- Something you do – like accept a popup message on your phone.
- Something you are – bio-metrics, like a fingerprint reader or retinal scanner.
So when it comes to your username and password, you know both of those pieces of information (well, I hope you do anyway). So your username and password both come under something you know. Therefore, this is a single factor of authentication. When logging in to my Internet banking site, I enter my username & password, then it asks me for specific letters from a memorable word I have. You may think that this is an example of 2FA, but it isn’t.
You see, I know my username & password, and I also know my memorable word. So although there are multiple steps to me logging in to my Internet banking site, there is still only a single factor of authentication used – something I know.
However, if I had an app on my phone that was configured to generate a One Time Password (OTP), which is a code that changes every 30 seconds or so, and my Internet banking site asked for that code; this would be 2FA, as I’m using two factors of authentication:
- Something I know – my username and password.
- Something I have – my phone with a generated OTP.
Alternatively, my banking mobile app could also use 2FA, but in a different way. I could log in to their app with my username and password; it could then prompt me for my fingerprint, using the fingerprint reader that my phone has. Again, this would be 2FA:
- Something I know – my username and password.
- Something I am – my fingerprint.
Types Of 2FA
There are numerous types of 2FA that are out there. The most common type of 2FA are apps such as Google Authenticator or Authy, that can be configured to generate an OTP that changes every 30 seconds or so. However, there are many more types of 2FA that can be used, such as:
- OTP hardware tokens – like the YubiKey, RSA tokens or CryptoCard.
- OTP codes – these can be generated by an app on your device, an SMS message or a phone call.
- Popups – some sites, like Google, can generate a popup on your device that asks “is this you?” when logging in, with an option to confirm or deny.
- Bio-metrics – such as a fingerprint reader or retinal scanner.
Why Is 2FA More Secure?
Think about it this way – if your username and password are compromised (which, let’s be honest, happens more often that we would like) then a threat actor can then access your account as they have all the data they need to be authenticated. This gets even worse if you’re using the same crappy password in more than one place, as a threat actor can re-use those credentials to log in to other accounts that you own.
However, if you’re using 2FA on that same site that was just compromised, a threat actor would also need your second factor of authentication in order to compromise your credentials. In most cases, this is your mobile phone. So unless you’ve given Johnny Hacker your phone, you’re still pretty safe – although I would recommend changing your password anyway. Whilst 2FA isn’t a magic pill that cures all kinds of credential harvesting, it does go a long way to making your online accounts far more secure.
Where Can 2FA Be Used?
In short, lots of places. Many websites and services now offer some sort of 2FA option. You may not want to use 2FA for every single account you have, and that’s fine, but I would personally recommend you have 2FA on the really important accounts, like email, PayPal, banking and your password manager if you have one. Personally though, I use 2FA where ever it is available, and I recommend you do the same. The link below is a website that compiles a list of common websites that offer at least one method of 2FA, as well a link to the page that allows you to enable it on that particular service. https://twofactorauth.org.
As I said above, 2FA certainly isn’t a magic pill that will make you impervious to getting hacked, but it will definitely make your accounts more secure. Your security posture should be like an onion – it should have multiple layers. The more hurdles a threat actor has to jump through, the harder it will be to compromise your accounts – ipso facto, you’re more secure.
Yes there is more hassle involved in logging in initially, but personally, I would rather have to spend an extra 10 seconds logging in with 2FA than make my accounts less secure. Plus, many password managers, like Bitwarden, have the means to manage your 2FA codes for you, so it’s even easier! Now you know the answer to what is two factor authentication? Go forth and secure your accounts, people!