Two-factor authentication
By Martin Edwards
For decades, passwords have been our main means of
authentication — the way we prove our identity to access a private
resource, like email or a bank account. So long as your password is known only to you, your
information and money remain very safe.
But the secrecy of a password can be compromised in several ways:
- It might be leaked in a data breach.
- You might be tricked into disclosing it by a
phishing email.
- Someone might guess it, or write software to automatically make thousands of guesses
until one is correct.
As we depend increasingly on online transactions, and store more of our data in the cloud,
the idea that a humble password stands between our private accounts and the rest of the world is
becoming less acceptable.
A familiar concept
Think about chip and PIN. It makes your bank account more secure because you need two different
things to use your debit card:
- Something you have (the card).
- Something you know (the PIN).
Previously, just having the card was enough. Anyone who obtained it could go shopping —
assuming they could roughly imitate your signature (and doesn’t the idea of comparing
signatures seem primitive now).
Online accounts
Chip and PIN is the most familiar form of two-factor authentication
(2FA), but a similar approach is now common for online accounts.
Note: Some services call it two-step verification, and you might also see the
more generic term multi-factor authentication. They’re the same thing.
If you have an account with Amazon, AOL, Apple, Facebook, Google, Microsoft or Yahoo, you
should enable two-factor authentication because it greatly increases security. Many other
companies offer it too.
Note: A
study
by Microsoft found that multi-factor authentication prevented over 99.9% of attacks on
accounts from succeeding. It’s not often an invention proves so effective!
Logging in
Let’s use Gmail as an example. You already have a password; it’s the ‘thing you know’.
With two-factor authentication, your mobile phone becomes the ‘thing you have’.
You go to check your email on your computer, and enter your password in the usual way. Google
then texts or calls you with a one-time passcode that’s valid for a
short time and can be used only once. Knowing this code proves your possession of the phone — a
pretty good way to verify that you’re who you claim to be. You type the code into the computer,
and Gmail opens.
It would be annoying to do this every time, so Google remembers your particular
computer and only makes you repeat this process occasionally.
Thwarting hackers
Now imagine a hacker guesses your password, obtains it from a data breach, or tricks you into
disclosing it via phishing. Their goal is to access your Gmail from their computer.
They get your password correct. But because their computer is unfamiliar, Gmail asks
for a one-time passcode — which arrives, of course, on your phone. The hacker is
thwarted because they don’t know the code.
Two-factor authentication is just a few small steps for you, and one giant leap for the
security of your accounts! Once you’ve set it up, it will go a long way towards keeping hackers
out, without inconveniencing you from day to day.
What if you lose your phone or have poor signal?
First, it’s a good idea to have more than one phone registered. These may include your mobile,
landline, or a partner or friend’s phone.
Second, you might be able to install an authenticator app on your
phone or tablet which can generate codes even when offline.
Finally, some companies offer extra options of their own. For example:
- In the case of Apple, your Mac can receive codes.
- With Google you can print 10 emergency codes to hide in a drawer or take travelling.