Two-factor authentication

Posted: Sep 6, 2014

Two-factor authentication

John M. Haddad

Two-factor authentication (abbreviated to 2FA) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network.  You may not know it, but you probably already use two-factor authentication in the physical world. This explanation of what it is should help convince you why it’s a good idea to use it with mission-critical online services, too.  Two-factor authentication, or 2FA as it’s commonly abbreviated, adds an extra step to your basic log-in procedure. Without 2FA, you enter in your username and password, and then you’re done. The password is your single factor of authentication. The second factor makes your account more secure, in theory.

What exactly is two-factor authentication?

Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that’s considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. The three types are:
  • Something you know, such as a Personal Identification Number (PIN), password, or a pattern
  • Something you have, such as an ATM card, phone, or fob
  • Something you are, such as a biometric like a fingerprint or voice print

How difficult is it to use?

rsa-securidIt definitely adds an extra step to your log-in process, and depending on how the account vendor, such as Twitter, has implemented it, it can be a minor inconvenience or a major pain. Much also depends on your patience and your willingness to spend the extra time to ensure a higher level of security.

Many people in large organizations use a similar solution using an RSA SecurID token, or fob.  However, this is an expensive solution for small businesses and individuals.

Some vendors allow you to use SMS to send a verification code to when you log in.  In addition to entering your password, you would have to enter the random generated code that the vendor sends you.  So even if someone stole you password, they would also need to have your phone to be able to get an SMS.  Hence, 2 levels of protection, two-factor authentication.

What is an example of two-factor authentication?

To provide an simple everyday example: an ATM typically requires two-factor verification. To prove that users are who they claim to be, the system requires two items: an an ATM smartcard (something you have) and the Personal Identification Number, or PIN (something you know).  In the case of a lost ATM card, the user’s accounts are still safe; anyone who finds the card cannot withdraw money as they do not know the PIN. The same is true if the attacker has only knowledge of the PIN and does not have the card. This is what makes two-factor verification more secure: there are two factors required in order to authenticate.

A great solution – Google’s two-factor authentication

google-authenticatorGoogle has an app called the Google Authenticator that you can run on your smartphone, either iOS, Android, Windows or Blackberry.  Once you download the app, you can set up a particular application with the Authenticator (if it’s enabled for Google Authenticator).  Once set up on your phone,, you will see that Google generates a random 6 digit code.  This code is valid for about 30 seconds.  After you enter you username and password, you would get prompted to enter your verification code that only you know because it’s on your device.  You can tell the application to remember you on that particular device or computer, so you don’t have to enter the verification code every time on devices that are in your possession.

It may sound complicated, but Google’s solution is very easy to set up.  I currently use it for my Google Mail, Dropbox, Evernote and LastPass (see my post “My journey to a stronger online security“).  Many vendors are taking advantage of using Google’s 2FA solution.  It’s a great solution and gives you piece of mind that with a strong password and the Google Authenticator, you have a great security solution.

Google Authenticator doesn’t support all applications.  Others may implement their own solution.  I have set up 2FA with services like Facebook, Twitter and Linkedin … all implement their own version of 2FA, like sending me an SMS or text message with a code for me to enter. You will find other services such as Microsoft, Apple, Tumlr, Office 365 and PayPal have also some variation of two-factor authentication.


Is two-factor authentication 100% foolproof?  Not  really.  But for the average small business owner or consumer, it’s a great solution.  If a hacker tries to get into your application, they will become frustrated very quickly and move on to another less secure individual.  We are starting to see the advent of multi-factor authentication, which could combine a password, with a random generated code and biometrics or fingerprints … for added security.

gmail-hackedMy advice … if you use services like Gmail, Yahoo Mail, Facebook, Twitter, Dropbox, Evernote, etc., immediately get two-factor authentication implemented.  I’ve seen too many people get their email account hacked or their facebook account hacked, even though they think they have a strong password.  Give yourself peace of mind and implement a strong two-factor authentication solution today!

Posted in

View other posts


Share this post

Recent Posts


About the author

John M. Haddad
John Haddad is the Principal and Owner of Bisinet Technologies, LLC. He has been in the Information Technology (IT) field for over 40 years. Over his career, he has held positions in all aspects of technology … programming, systems analysis, project management, infrastructure support, systems architecture, IT Management and web development. He continues to work with many small businesses and non-profits in the local area to provide technology consultation, web design and cloud solutions.