Two-Factor Authentication or 2FA, for short, is an underutilized security feature that could help protect massive breaches from occurring. For those of you who do not know 2FA is simply a stronger form of computer security than simply using a password. 2FA works in conjunction with a password to provide additional security and has many forms.
The most common form of 2FA is a password and security code. For instance, say you were logging into an online banking or email account that had 2FA turned on. The first step, as usual, would be to enter the email address along with the factor. But instead of immediately going to the mailbox after the password is typed, a different screen would pop up asking for a security code. This code can be received a few different ways, for instance:
- A code can be texted to your cell phone
- You can receive a call, on your cell phone, from an automated service that reads the phone to you
- A notification can come through your phone, the same as a friend request from social media sites, an email, or a reminder.
- The code can also be emailed to a second email address (although a similar process would most likely be required to get this email as well)
- Another form of 2FA that exist but aren’t as popular are random code generators, such as Google’s Authenticator, that generates a new code every 30-60 seconds. This form requires a bit more time to set up.
- Biometrics (fingerprint, retinal scan, etc.) are usually considered the most secure form of 2FA but are less widely used due to the time, money, and technology needed to make it work properly.
So, say the option selected was a text message containing a code; after the password is entered a onetime security code will been texted to your cell phone. That code will be required to proceed into your account or mailbox. This code is typically also used when you are trying to reset your password. You will need to enter one in order to actually reset the password.
Using a cell phone as the second form of authentication is usually the most popular/easiest choice because who doesn’t have their cell phone on them at any given time? Also, it is something that, more likely than not, you will be the only that has access the device.
The cell phone option is also useful in case someone tries to break into your email account. If an attacker did not know your password, then he/she would most likely try to reset it to something they know, but you do not. Having this 2FA feature (really any 2FA feature) enabled also can inform you that someone is trying to access your account. So, if you received a code and you were not trying to log into your account or change your password, then you know there is a strong possibility that someone else is. If that’s the case, then your email provider usually has a phone number or hotline to call to inform them that an attacker is trying to gain access to your account.
Two-Factor Authentication is used for web based email, such as Yahoo and Gmail. Both have similar options, i.e. text message, phone call, notification. This form of authentication is being increasing popular with online banking applications. As noted in the FFIEC Supplement to Authentication in an Internet Banking, enhanced layered security such as 2FA should be implemented for high risk transactions (wires, ACH, etc.). 2FA may seem like a hassle when all you want to do is just check your email, but the benefits of it outweigh the negatives. Most attackers go for the easiest option to steal information, 2FA makes stealing information more difficult. If spending a few more seconds to use 2FA ultimately prevents your account from being hacked and your information from being stolen, isn’t it worth it?