Guide to Two Factor Authentication

In today's online world, digital fraud is a constant worry. It seems almost as though every week brings the announcement of another company having been hacked or their data being breached somehow, exposing personal information and passwords to potential identity thieves and criminals.

The simplistic model of username and password often times doesn't provide adequate protection for sensitive information, such as bank accounts or sensitive personal photographs or information. This is where Two Factor Authentication (2FA) comes into the picture.

2FA, which technically is a subset of the broader category Multi Factor Authentication, is a protocol for verifying a person's identity before giving him or her access to an account or other piece or pieces of sensitive information.

Rather than using only a username and password, a user attempting to log into a system protected by 2FA will be asked to provide another piece of data to further confirm their identity. This could mean asking a security type question known only to the user, it could take the form of a phone call to the user's personal telephone, it it could even be a physical thing, like a fingerprint scan or a key card.

Brief Background of 2FA

2FA has been around for a while, despite many in the public not having explicitly heard of it. Take this classic example: Withdrawing money from an ATM. If a person were able to walk up to an ATM and enter their PIN to withdraw, or if they were able to insert their bank card into the ATM to withdraw, it's obviously clear that ATMs would be far more prone to being victimized by thieves.

Instead, to withdraw money from an ATM, it's necessary both to slide in the bank card and then to enter the PIN. Most people are so used to making a transaction like that that it probably feels like one piece of authentication. But it's actually 2FA at work.

An important concept in 2FA which is embodied by that ATM example is the distinction between knowledge based factors and possession based factors. Often times 2FA strives to pair one knowledge factor with one possession factor.

Knowledge Factors

The idea of a knowledge factor is that it is a form of authentication based on the user having knowledge of something a would-be hacker or thief wouldn't know. Passwords, PINs, security questions like 'What was your third grade teacher's name?', or any security measure requiring the user to provide information are examples of knowledge factors.

Knowledge factors are the most commonly used authentication factors. However, they're not always the most secure, especially when not paired with other authentication factors.

One drawback with knowledge factors is that people tend to be lax with their personal security. For example, account passwords are intended to be memorized by the user, not written down or recorded. In reality, people often times write down passwords or store them digitally, and if they're stolen or accessed, now a thief has defeated this authentication factor. And further, people often times choose easy-to-guess passwords, meaning a thief doesn't even need to interact with the person's space in any way.

Another problem with knowledge factors like security questions is that sometimes the information being asked about is something that can be researched by a third party. All in all, knowledge factors alone, especially a single factor, can be somewhat risky.

Possession Factors

Possession factors relate to an authentication based on a physical thing someone has in their possession. Examples of knowledge factors are magnetized cards, personal phones that can be called, and even fingerprints and retinas that can be scanned. An example of a possession factor that's been around for centuries is a lock and key.

Often times, possession factors are harder to fake than knowledge factors, especially biometric based authentication factors. If security is absolutely the number one concern, including a possession factor in the authentication process is advisable.

The beauty of 2FA is that it's exponentially more difficult to penetrate both of the two factors than it would be to factor each. It might be possible to find out or guess a person's password, or to steal someone's phone, but the odds of doing both are far worse.

This is why most serious accounts today require 2FA.