Why 2FA for Passwords works, and what you should know.
2FA, or “Two Factor Authentication,” is a means of requiring something in addition to your password, to login to a Website, computer, phone, application, etc. You have used two factor authentication many times. If your bank or brokerage account login requires entering a PIN from a text or email message, that is 2FA in action. Entering the 3 or 4 digit number from your credit card is the same idea. If you have used a “fob” at work that generates a random sequence of numbers to login, this is two factor authentication at work.
OK, but how does 2FA make me safer?
Great question! I love your enthusiasm. The metaphor I use is thinking of 2FA like a safety deposit box. Without your key, AND the bankers key, you’re not getting into that box. Two factor authentication is similar; it requires something you know, usually a password, and something that is provided such as a text message code, an email code, a “code generator application,” or a physical input such as your fingerprint, or retina scan for the Sci-Fi buffs, etc. Just like a safety deposit box is safer because the bankers key, in addition to yours, is required to open it, 2FA introduces a 2nd challenge, or “authentication factor” to better protect you.
Here is a tiny list of Websites / services that support two factor authentication: Google, Facebook, Twitter, Dropbox, PayPal, and most banks. There are thousands of others.
Interesting Spencer, but will 2FA protect me from hackers?
In general, yes. However, I hate generalities and it would be disingenuous for me to tell you 2FA will protect you in ALL circumstances. Regardless, it is far more difficult to hack two “factors” of authentication than one. Part of the issue, is that not all two factor methods are created equally. A text message is marginally secure because it is possible for a hacker to get both your password, and a way to receive your texts or your phone itself. Twitter recently introduced 2FA using only text messaging to an underwhelmed IT security community. Code generators, like Google’s for Android, or iOS, are much more difficult to hack.
Therefore, 2FA is good, but not perfect. Is it worth using?
Absolutely! As mentioned, 2 Factors of Authentication are more difficult to break through than one. The best system that is currently available is using a password manager with stronger 2FA. Utilizing a password manager allows you to generate, store, and autofill, complex passwords. Moreover, leading password managers, like LastPass, allow you to choose from numerous forms of 2FA, including YubiKeys, which are small, USB-based, devices that utilize a complex floating key – a continuously changing code based on complex algorithms. The best part, it’s transparent to you! You simply stick your YubiKey in your computer, and touch the button. Newer YubiKeys even work with smartphones via NFC (Near Field Communication).
Two Keys Are Better Than One
It would be impossible to cover all aspects of two factor authentication, or password managers, in many posts, let alone one. However, I strongly urge you to use 2FA whenever it is offered. Nothing is unhackable, but it gives you far more protection than using “just a password.” It does add a bit more time to login, though minimally so.
After 15 years of IT security experience, I believe the best protection comes from combining a password manager like LastPass, with a strong 2FA method, such as a YubiKey. The best part, you only need to remember one password!
2FA is also known as Multifactor Authentication
I know this is needlessly confusing. You likely will see both terms. 2FA specifically refers to two factors, while Multifactor requires two or more factors. Also, many organizations “brand” their two factor implementation. Google’s “2 Step Verification” is a good example of this.
