More and more banks, credit card companies, and even social media networks and gaming sites are starting to use two-factor authentication. If you’re a little unclear on what it is or on why you’d want to start using it, read on to learn how two-factor authentication can keep your data secure.
What Is Exactly Is Two-Factor Authentication?
How-To Geek reader Jordan writes in with a straight forward question:
I’m hearing more and more about two-factor authentication. I vaguely remember Google making a big deal about it last year, my bank recently offered a free key-ring thing for valued customers, and my roommate even has some sort of app on his phone to keep his Diablo III account from getting hacked. I get that it’s some sort of security tool but what exactly is it and should I be using it?
In order to understand what two-factor authentication is, let’s first take a look at what one-factor authentication is and compare it to both real and virtual models of security.
When you come home from work, pull out your keys, and unlock your back door, you’re engaging in simple one-factor authentication. The door and the lock assembly don’t care if the person holding the key is you, your neighbor, or a criminal that lifted your keys. The only thing the lock cares about is that the key fits (you don’t need two keys, a key and a fingerprint, or any other combination of checks). The physical key is the single confirmation that the person wielding it is allowed to open the door.
The same level of one-factor authentication occurs when you log in to a web site or service that simply requires your login and password. You plug that information in and it exists as the only check that you are, in fact, you.
Assuming nobody ever steals your keys or cracks/steals your password, you’re in good shape. While your keys being stolen is a fairly low risk, virtual security is more complex (and unlike online security breaches. your apartment complex manager, for example, would never accidentally copy all the keys and leave them with your name and address on a street corner).
Security breaches, sophisticated attacks, and other unfortunate but all too real aspects of working and playing in a virtual space necessitate improved security practices including multiple and diverse complex passwords and, when available, two-factor authentication.
What is two-factor authentication and what does it look like for you, the end-user? At minimum two-factor authentication requires two out of three regulatory-approved authentication variables such as:
- Something you know (like the PIN on your bank card or email password).
- Something you have (the physical bank card or an authenticator token).
- Something you are (biometrics like your fingerprint or iris pattern).
If you’ve ever used a debit card, you’ve used a simple form of two-factor authentication: it’s not enough to know the PIN or to physically have the card, you need to possess both in order to access your bank account via the ATM machine.
Two-factor authentication can take on a variety of forms and still meet the 2-of-3 requirement. There can be a physical token, such as those widely used in banking, where an over-the-air code is generated for you. To log in, you need your username, password, and the unique code (that expired every 30 seconds or so). Other companies skip the custom-hardware route and supply mobile phone apps (or SMS-delivered codes) which provide the same functionality. While not particularly common, you could also use two-factor authentication based on biometrics (such as security an encrypted file via password and fingerprint).
Why Should I Use It and Where Can I Find It?
Any time you introduce an additional layer to your security routine, you always have to ask yourself if the hassle is merited. Multi-factor authentication for a muscle car discussion forum that contains no personal information and is in no way linked to your real email or financial information is obviously overkill. Having a second layer of authentication for your credit card or primary email account, however, is just practical—the personal and financial trauma that would result from an identity thief or other malicious entity having access to those things far outweighs the minor hassle of inputting an extra bit of information.
Anytime two-factor authentication is available for a system and that system being compromised would cause you significant suffering, you should enable it. Having your email compromised opens you up to other services being compromised as email servers as a sort of master-key for access to password resets and other inquiries. If your bank provides a mobile authenticator or other tools, take advantage of it. Even for things like your roommates Diablo III account—players spend hundreds of hours building their characters and often spend real money purchasing in-game goods, losing all that labor and gear is an awful proposition, slap an authenticator on your account!
Not every service offers two-factor authentication, unfortunately. The best way to find out is to dig through the FAQ/support files and/or contact the support staff for the service in question. That said, many companies are vocal about their adoption of multi-factor authentication schemes.
Google has two-factor authentication both for SMS and with a handy mobile app—read our guide to installing and configuring the mobile app here.
LastPass offers multiple forms of multi-factor authentication including using Google Authenticator. We have a guide to configuring it here.
Facebook has a two-factor system called “login approvals” that uses SMS to confirm your identity.
SpiderOak, a Dropbox-like storage service, offers two-factor authentication.
Blizzard, the company behind games like World of Warcraft and Diablo, has a free authenticator.
Even if it looks like, based on reading the FAQ file of the company in question, they don’t have two-factor authentication, shoot them an email and ask. The more people that ask about two-factor, the higher chance the company will implement it.
While two-factor authentication isn’t invulnerable to attack (a sophisticated man-in-the-middle attack or someone stealing your secondary authentication token and beating you with a pipe could crack it), it’s radically more secure than relying on a regular password, and simply having a two-factor system enabled makes you a much less compelling target.
Know of a service, big or small, that offers two-factor authentication? Sound off in the comments to alert your fellow readers.