Everyone living in this digital age probably has an intuitive idea of what the point of two-factor authentication (2FA) is. It’s an extra layer of security on top of your usual login, but what is this layer made of? And is this kind of “extra” even enough to protect your data? In this article, we look into how it works, where it works, and where it doesn’t.
There are generally three factors for authentication. Namely; the knowledge factor (something you know) such as your PIN or password; the possession factor (something you have) such as a hardware token, or one-time pins from Authenticator apps ; and the inherence factor (something you are), like biometrics. 2FA is basically made up of any two of these factors to protect your account, making it harder for potential intruders to gain access and steal that person’s personal data or identity.
This isn’t exactly a new thing though. According to SecurEnvoy, the use of 2FA has become far more prevalent only recently. As early as February 2011, Google announced two factor authentication, online for their users, followed by MSN and Yahoo. A guide called TwoFactorAuth.org is constantly being updated by users from all around the world, so that people can check if their service has the 2FA option available.
So it was a thing of the past, and now it’s an even bigger deal today. Question is, do you need it? It should be considered that hackers have several gateways to choose from other than breaching your password regardless of its strength, like planting malware or links into seemingly secure sites and emails. So yes, it’s definitely a worthwhile step for your security. But just like getting a password manager, opting-in requires thorough thinking. The benefits aren’t necessarily the same for your all your accounts as each one may have varying importance to you. Not enabling additional security, like 2FA, on any of your accounts means ignoring the risks of having your property and identity stolen altogether. For instance, online banking services worldwide are gradually rolling out 2FA as a mandatory opt-in, while pairing it with measures like locking out your account when 3 invalid logins have been triggered. Twitter has made verification codes accessible via sms-only, so if this doesn’t seem sufficient for you, then try using an authenticator app to generate one-time codes, or a hardware token like Yubico’s YubiKeys. On the other hand, opting into 2FA for all your accounts might make for an unnecessary trade off between convenience and barely any security. “Two-factor authentication does improve security, but it’s not the solution in all cases. Adopting the wrong 2FA solution can burden users with little security benefit.”, according to WIRED’s article about the 5 myths of 2FA. So, your occasionally accessed Tumblr or 9GAG accounts certainly don’t have much to be desired.
Despite the promise of additional protection, 2FA isn’t exactly the most impervious measure against hackers. WIRED points out that, While two-factor authentication does improve security, it’s not perfect. It attracts attackers because mainly high-value applications use it. “A service using SMS can be vulnerable to any number of telecom providers’ practices regarding reassignment of phone numbers or security of messages. Malware on users’ phones that intercepts SMS messages and sends them to an attacker is also becoming more common.” This means that starting 2FA is only one of several well thought-out taps and clicks you have to take to show that you’re not letting scams of ay variation get past you.What’s important is that you take steps that work for you, in securing your clients, your business, and yourself from online attacks.