The power of two – All you need to know about two-factor authentication


2-170This article intends to cover the major aspects of two-factor authentication, including what it is, how it works and where you can use it.

Over and over we hear of stolen password databases, phishing attacks, malware that collects all of our keystrokes and even credit card skimmers installed in our local ATMs or at our favourite retailers.

For the those who learn best by listening, you may wish to listen to the Techknow podcast Paul Ducklin and I did on the topic last year.

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

What is two-factor authentication (2FA)?

Note: Also referred to as multi-factor or two-step verification.

2FA by definition is the process of verifying someone’s identity by verifying two out of three possible identifiers:

  • Something you know (a password, passphrase, PIN or secret answer)
  • Something you have (your phone, a token, a smartcard or a key)
  • Something you are (fingerprints, iris scan, retinal scan, vein matching or bone structure)

Traditional online authentication has relied on the password, something you know. There are several problems with this approach.

  • A password is by definition a “shared” secret that you must give to the organization identifying you. While it is possible for this to be done securely, more often than not you have no way to verify it has been safely transmitted or stored.
  • Anyone observing you, whether through the use of malware monitoring your keystrokes or by observing you from behind/with a camera, can obtain your secret.
  • We are bad at memorizing difficult-to-guess passphrases, leading us to both reuse passwords and choose passwords of insufficient complexity.

Ideally, by requiring something physical along with something in your brain you dramatically reduce the risk of being impersonated.

Like all things, we do not live in a perfect world and 2FA has its faults. However, I think you’ll agree that it is a major improvement and the days of using an eight-character password have passed.

Something you know

Seems obvious, right? It doesn’t have to be a password, though. You may have noticed that I’ve mixed the use of password and passphrase in this article.

While the concepts are similar, a password seems to suggest it is just a single word, but when it comes to passwords, length matters.

shutterstock_DogSecret170I prefer passphrase, with the hope that people will take that to heart and choose something more along the lines of “JustThe2ofus,youandi.JusttheTWOofus.” instead of “Princess123”.

Another form of something you know is a PIN. I am not a fan of the PIN, but depending on the access scenario, it can work well. Cash machines are a form of two-factor using a PIN.

Pattern-based authentication is a third type of knowledge factor in authentication. Users of Windows 8 or Android devices may have seen this alternative to a traditional password.

Next →

Image of dog keeping a secret courtesy of Shutterstock.

Article source:


Comments are closed.