5 Things You Need to Know about Two-Factor Authentication

People store an enormous amount of information online. The average American has over 130 online accounts – and that number is quickly rising! Unfortunately, too many people use poor password practices, or link accounts together, which puts all their online data at risk. In response, many services are turning to two-factor or two-step authentication to help safeguard your online accounts.

What is two-factor authentication?

secure login illustration

Any form of authentication – two-factor, two-step, or multi-step – is designed to verify that you are the legitimate owner of the account you’re trying to access. These methods ensure a more secure connection and help protect against unwanted use of your online accounts.
Businesses especially should encourage use of two-factor authentication whenever possible. Employees regularly browse work-related resources from a home computer or smartphone. Plus, so many sites have a “Sign in with Facebook” or “Sign in with Google” option that employees may be linking personal accounts with business information. Enabling extra authentication is a great way to strengthen security and protect against hackers.

1. What are authentication factors?

Currently, there are three different types of authentication factors:

  1. Something you know: Ex. Password, PIN number, SMS code
  2. Something you have: Ex. Debit/credit card, token, ID card
  3. Something you are: Ex. Fingerprint, facial scan, other biometric identifier

You probably use some form of multi-step verification already, but you might not realize it. In order to withdraw money from an ATM, you need your debit card (something you have) and your PIN number (something you know). Or, when you sign into your bank account online, sometimes they send you text message with an additional code you need to enter, beyond your password. In both cases, you’re required to use more than one credential to verify your identity.

2. Passwords aren’t enough anymore

Let’s go back to that first statistic we mentioned – that the average person has 130 different online accounts. In theory, that means that every person should have 130 different passwords. But who can remember that many passwords?
That’s why most people resort to bad password practices. They use a handful of passwords, shared across multiple accounts. And even those passwords are usually short and easy to remember. Even if you use strong passwords and a password manager, your passwords are still vulnerable. Hackers, armed with modern computing power, are more sophisticated than ever and can crack even “strong” passwords in record time.

>>Related Article: Why 'password' is Not a Secure Password

Bottom line: passwords are simply insecure. Two-factor authentication can help solve that problem by making you prove your identity through other methods. The concept is: even if someone else gets your password, they likely won’t also have your phone, your fingerprint, etc. to impersonate you.

3. There is a difference between two-factor and two-step authentication

While people often use the terms interchangeably, there is a difference between two-factor and two-step authentication.
Two-factor authentication uses two different factors to verify your identity, while two-step uses the same factor twice.
For example, earlier we talked about your debit card and your PIN number. That’s two-factor, because it pairs something you have (the card) with something you know (the PIN).
Signing into your online bank with your password and an SMS code texted to your phone is two-step. Both are something you know. While it may seem like this depends on your phone – something you have – hackers could intercept the code without physically getting your phone.
For example, hackers managed to bypass the two-step security at multiple European banks. Using phishing emails, they installed malicious code on users’ computers and directed them to fake bank websites. The victims then unwittingly gave up both their password and the extra verification code.
Ultimately, any extra verification step helps. But if given a choice between true two-factor and two-step authentication, using multiple factors is usually more secure.

4. Prioritize your most at-risk accounts

facebook & google

As far as online accounts go, your email and social media profiles are the ones most worth protecting.

Why? Many online services let you sign up with your email or Facebook login to streamline the signup process. That means that if hackers get access to one account, they probably have access to many more. Your email is also where you receive password reset instructions and important communications from websites.
A hacker who has access to your email would be able to access any other services you’ve signed into with your email. They could also search for old registration messages to find other accounts, reset your passwords, or contact support to gain access to your accounts.
Banks are also key accounts worth protecting, but unfortunately, not all banks offer two-factor authentication. Check with your bank to see if it’s something they offer.
Thankfully, most large email providers and social networks do offer two-factor or two-step verification. Check out the instructions from Google, Microsoft, Facebook, and LinkedIn on how to enable authentication, and make it part of your normal account setup process in the future.

5. Be cautious about enabling “trusted devices”

Many websites who support the two-factor authentication method also let you enable ‘trusted devices.’ Signing into a website from your desktop PC for the first time might prompt you to ‘trust this device in the future’. This actually disables two-factor authentication for that device moving forward, creating a weaker defense that relies solely on passwords.

While this makes it easier on the user’s end, it opens up vulnerabilities. If you select your smartphone as a trusted device and it’s lost or stolen, it will be that much easier for a hacker to access your account. In the event that a trusted device becomes compromised, most websites allow users to remove the device from the list to prevent misuse or unwanted access.
If you want to improve your security and protect your online accounts, give us a call. We can help you implement stronger two-factor authentication for your servers, employees, or website.