Two-factor authentication
John M. Haddad
Two-factor authentication (abbreviated to 2FA) is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. You may not know it, but you probably already use two-factor authentication in the physical world. This explanation of what it is should help convince you why it’s a good idea to use it with mission-critical online services, too. Two-factor authentication, or 2FA as it’s commonly abbreviated, adds an extra step to your basic log-in procedure. Without 2FA, you enter in your username and password, and then you’re done. The password is your single factor of authentication. The second factor makes your account more secure, in theory.
What exactly is two-factor authentication?
- Something you know, such as a Personal Identification Number (PIN), password, or a pattern
- Something you have, such as an ATM card, phone, or fob
- Something you are, such as a biometric like a fingerprint or voice print
How difficult is it to use?
It definitely adds an extra step to your log-in process, and depending on how the account vendor, such as Twitter, has implemented it, it can be a minor inconvenience or a major pain. Much also depends on your patience and your willingness to spend the extra time to ensure a higher level of security.
Many people in large organizations use a similar solution using an RSA SecurID token, or fob. However, this is an expensive solution for small businesses and individuals.
Some vendors allow you to use SMS to send a verification code to when you log in. In addition to entering your password, you would have to enter the random generated code that the vendor sends you. So even if someone stole you password, they would also need to have your phone to be able to get an SMS. Hence, 2 levels of protection, two-factor authentication.
What is an example of two-factor authentication?
A great solution – Google’s two-factor authentication
Google has an app called the Google Authenticator that you can run on your smartphone, either iOS, Android, Windows or Blackberry. Once you download the app, you can set up a particular application with the Authenticator (if it’s enabled for Google Authenticator). Once set up on your phone,, you will see that Google generates a random 6 digit code. This code is valid for about 30 seconds. After you enter you username and password, you would get prompted to enter your verification code that only you know because it’s on your device. You can tell the application to remember you on that particular device or computer, so you don’t have to enter the verification code every time on devices that are in your possession.
It may sound complicated, but Google’s solution is very easy to set up. I currently use it for my Google Mail, Dropbox, Evernote and LastPass (see my post “My journey to a stronger online security“). Many vendors are taking advantage of using Google’s 2FA solution. It’s a great solution and gives you piece of mind that with a strong password and the Google Authenticator, you have a great security solution.
Google Authenticator doesn’t support all applications. Others may implement their own solution. I have set up 2FA with services like Facebook, Twitter and Linkedin … all implement their own version of 2FA, like sending me an SMS or text message with a code for me to enter. You will find other services such as Microsoft, Apple, Tumlr, Office 365 and PayPal have also some variation of two-factor authentication.
Summary
Is two-factor authentication 100% foolproof? Not really. But for the average small business owner or consumer, it’s a great solution. If a hacker tries to get into your application, they will become frustrated very quickly and move on to another less secure individual. We are starting to see the advent of multi-factor authentication, which could combine a password, with a random generated code and biometrics or fingerprints … for added security.
My advice … if you use services like Gmail, Yahoo Mail, Facebook, Twitter, Dropbox, Evernote, etc., immediately get two-factor authentication implemented. I’ve seen too many people get their email account hacked or their facebook account hacked, even though they think they have a strong password. Give yourself peace of mind and implement a strong two-factor authentication solution today!