Two-factor authentication, commonly shortened to 2FA, or referred to as two-step verification, dual-factor authentication or multi-factor authentication; refers to the process whereby users are asked to verify their identity using more than one (typically two) authentication factor. The purpose of using two-factor authentication is to prevent an attacker who has compromised a user’s password from being able to log into an account – the attacker will need to get past the second factor of authentication in order to successfully log in, drastically reducing the chances of the user’s account being taken over.
What are authentication factors?
An authentication factor is a means for a user to prove who they say they are in order to be successfully authenticated. Authentication is the process by which a user is verified as being who they say they are; most commonly being the combination of a username and a password – where the password is an authentication factor.
Applications, which support two-factor authentication, typically support two of these three factors, most commonly being a password and a one-time token (typically a series of six numbers which changes every thirty seconds or so).
Why aren’t passwords good enough?
While passwords have served us since the very early days computers were around, unfortunately they haven’t aged particularly gracefully.
Passwords have been in use since the 1960s when the first password was used by MIT on a computer to authenticate a user by matching two strings in the system — one in the system, and one from the system user. Fast forward to today, and not much has changed in how passwords are used – and unfortunately, now it’s causing a lot of problems.
The crux of the issue with insecure passwords lies in the fact that humans are predictable creatures of habit – when creating passwords, we tend to seek the path of least resistance and pick something we’ll easily remember – which is often insecure. These passwords typically include personal and publicly gleanable information such as names of pets or loved ones, birthdays.
To make matters worse, most people reuse their passwords across different accounts. This means that as soon as one password is compromised, there’s a high likelihood that an attacker can try the same username and password combination on a totally different website and still manage to login. This is of course compounded with the face that data breaches are continuously on the rise.
What Two-factor authentication (2FA) accomplishes (and what it doesn’t)
The most pertinent feature of two-factor authentication is that it makes it harder – but not impossible – for an attacker to gain access to a user’s account by adding an additional layer of security to the authentication process since knowing a victim’s password alone is not enough. However, upon closer inspection, there are more reasons to adopt 2FA, even if it may not be perfect (there are no silver bullets in information security).
Aside from preventing access to a user’s account by knowing just the password, it protects users from password reuse. This doesn’t mean that enabling 2FA means it’s ok to reuse passwords, but it serves as an additional line of defence.
Additionally, 2FA makes it such that for an attacker to successfully hack an account, it often needs to be done in realtime. While this puts attackers at a disadvantage since it makes these attacks harder to pull off, it’s also where myths about 2FA preventing phishing fall short.
Attacks involving 2FA generally require the victim to be in the loop in order to complete the attack since tricking a victim in divulging a 2FA code is typically the easiest path an attacker can take into gaining access to a victim’s account – spear phishing or another form of social engineering being a frequent method of choice for such an attack.
While two-factor authentication (2FA) does add a minor layer of friction when signing in, is one of the most simple-but-effective security controls you can implement across your organization. To learn more about which sites and applications support 2FA, visit twofactorauth.org.