What is two factor authentication? Put simply it is a way of gaining access to an application by using two means of verifying the identity of the person requesting access. Typically the means of verification are (a) something you know – e.g.- a Password (b) something you have – e.g.- a Mobile phone (c) something you are – e.g.- a Fingerprint.
Withdrawing cash from an ATM is probably the most common use of Two Factor Authentication (2FA) you are familiar with. In order to get cash, you need something you have (the ATM card) and something you know (your PIN).
In the on-line world 2FA helps protect your account in the case where, for example, hackers have compromised your password. If your account also requires your fingerprint to be scanned to gain access, then the hackers would need your finger in order to get into your account. As long as it is still attached to your body and your body is not in the hackers possession either, then your account should be pretty safe.
A more common form of on-line 2FA is by use of SMS text messages to your mobile phone. So if you try to log into your account with your username and password, a text message will be sent to your mobile phone with a 5 or 6 digit code to be typed in after you have entered your password. If you suddenly receive a text message with such a code and you were not actively trying to log in to your account at that moment in time, then it means somebody has compromised your password, but they shouldn’t be able to get any further as they will not have the code that has been sent to you. Now would be a really good time to go and change your password on that account (and any other account that you use that password on – cos you do that don’t you??? L).
Lots of on-line services offer 2FA (Google, Microsoft, Apple, LinkedIn, Facebook, Dropbox, Evernote, etc.). For a full list check this website. If you have an account that has 2FA available, you really should go and enable this now to give yourself a massive increase in protection.
That’s all there is to it. I will continue below with some details on the subject of Two Factor Authentication. So if you are not interested in such particulars, just make sure you have activated it on all accounts that have the facility – in particular e-mail accounts.
I have to enter a password AND a separate code at EVERY log on:
Depending on the application, you may only need to enter the separate code once per device or browser. If the device you use is always under your control, you should be offered an option to “Trust this device”, which if checked, means you will not be prompted for the second factor at each and every log on.
If your device is not always under your control, or it is particularly portable (i.e.- particularly theft-friendly), then you really should set it to always ask for the second factor on log in. I know this may seem like a big ask, but you will get used to it very quickly.
Just think of the absolute hassle and suffering you would go through if somebody has compromised your e-mail account and is now spamming your customers and colleagues. If the bad guys have your e-mail account, they may easily reset your social media account passwords and start posting inappropriate messages. All this because you found it a little bit inconvenient to spend an additional 5-10 seconds logging in at the start of the day.
Two Factor Authentication Apps/Tokens:
SMS Text messages are not the most secure way to receive a second factor, because there is communication happening between you entering the password and you receiving the code. So it is possible for a committed hacker to (a) intercept these or (b) have compromised your mobile number.
An Authenticator App or Token can be used in place of an SMS Text message. These generate, random numbers every 30 seconds. So this removes the communication channel between you entering the password and you needing to provide the code.
One such App that is available on a number of platforms, including Apple, is the Google Authenticator. This can provide your second factor on services such as Amazon, Dropbox, Facebook, Evernote, Salesforce.com and obviously Google’s own platform.
The only issue with using this app, is where you lose your phone or it’s damaged beyond repair. When you set-up the Authenticator App on a service, the service should either ask you for a backup phone number or give you a set of one-time-passwords (OTP) which you should print and keep safe, as these might be the only way that you can get back into the service when you no longer have access to the Authenticator app.
Can’t fingerprints be compromised:
There was a Mythbusters episode where the team showed how they were able to fool a fingerprint reader on a door lock. Now it should be pointed out that this door lock should also have been configured for PIN entry as well, so that there would have been proper two factor authentication. Also in this episode, the fingerprint reader on a ~2006 model laptop offered more protection against the faked fingerprint than the door scanner.
So, yes they can be compromised, but other “something you are” attributes (also referred to as biometrics) are available, like Iris Scanning, Voice or Facial Recognition, etc. None of these are completely fool-proof, which is why they need to be used in conjunction with other factors to offer greater security.
If you have any comments, suggestions or questions on the above, please leave a comment below.
Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.