dark mode light mode Search Menu
Search

2FA

Kate Russell on Flickr

Experts compare computer security to a chain. Every link in the chain needs to be strong: good encryption, good network protocols, good passwords. An attacker only needs to break one link for the whole chain to go down. Naturally, they’ll go after the weakest link.

Turns out the weakest link in computer security is usually humans. Specifically, our passwords.

After all, who has time to remember 67 different passwords, each 25 characters long, each a jolly jumble of numbers and letters? No one, that’s who. Either we walk around with giant lists of passwords or we cut corners. We reuse passwords; we keep to the minimum length; we choose passwords that are easy to remember… like ‘password123’.

And since people aren’t a fan of getting hacked, companies came up with a novel idea to make up for the fact that our passwords are terrible: a second authentication factor!

‘Authentication Factor’ is just a fancy of way of saying ‘something that proves your identity’. In real life we have passports, health cards, and driver’s licenses. Online, we have passwords. With 2FA (2-factor authentication), instead of providing one piece of online ID, you provide two. That way, if one password is compromised, the other stands strong and unbroken.

Wait, a second password? Isn’t that worse?

The second authentication factor doesn’t have to be a second password. A security pin is a password-like 2FA scheme. Since a pin is usually between 4-8 digits, it’s a little bit easier to remember. However, a small pin won’t make user accounts hack-proof; it only adds a second, flimsier layer of protection.

Here’s some clever 2FA solutions:

Security questions are a concept you’ve probably seen before. Instead of inventing a random password, you draw on real-life memories: mother’s maiden name, favourite teacher, first pet. Let’s just hope your answers stay the same, and you’re not left wondering what your favourite band was 5 years ago when you first answered the questions.

Banking websites, and other servers that deal with highly confidential information, often track user data such as IP (location) or MAC (computer) addresses. If all your computer traffic comes from North America, and your account logs in from Asia, your bank might be a tad suspicious. Bonus: no extra work for users.

The most classic 2FA system is physical tokens: making users carry around a hardware device to provide 2FA. One example is the RSA SecureID token, which is a small, key-shaped electronic device that displays a 6-digit number. Each token is a associated with a single user account, and the number it displays changes every minute. So when logging into your account, you have to enter your username, password, and then the RSA token’s number.

On the plus side, it’s virtually impossible for an online attacker to get ahold of this token. On the minus side, if you’ve ever misplaced your keys or your phone or your lunchbox, chance are that you’ll misplace this token — and then you can’t login. Not fun.

In the last few years, the rising popularity of smartphones has made 2FA apps feasible. Gmail has one; whenever you try to log in, a single-use code is sent to your phone via text, voice call, or through Gmail’s mobile app. It’s a similar process as the RSA tokens, except Gmail harnesses a your smartphone.

Startup companies galore have jumped on this bandwagon. There are apps that use one-time passwords (OTPs) and apps with tap authentication; apps that go through WiFi and apps that use SMS.

None of the solutions are perfect. All involve more inconvenience for people, and none are foolproof; but they’re certainly better than nothing.

Would you use 2FA on your accounts? Is it too much trouble, or do you like the idea of extra protection? What do you think is the best 2FA solution?

Learn More

Multi-Factor Authentication

https://en.wikipedia.org/wiki/Multi-factor_authentication

Google’s Two-Step Authentication Process

https://www.google.ca/landing/2step

Create Safe Passwords (Public Safety Canada)

https://www.youtube.com/watch?v=aEmF3Iylvr4

Choosing a Secure Password

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

2FA FAQ

https://www.cnet.com/news/two-factor-authentication-what-you-need-to-know-faq/

@Deray’s Twitter Hack Reminds Us Even Two-Factor Isn’t Enough

https://www.wired.com/2016/06/deray-twitter-hack-2-factor-isnt-enough/

Your cell phone number could be hijacked unless you add a PIN to your carrier account

http://www.macworld.com/article/3082626/security/your-cell-phone-number-could-be-hijacked-unless-you-add-a-pin-to-your-carrier-account.html

Hackers are using this nasty text-message trick to break into people’s accounts

http://www.businessinsider.com/hackers-are-spoofing-text-messages-to-steal-two-factor-authentication-codes-2016-6

Google is making two-factor authentication a lot easier to use

http://www.theverge.com/2016/6/21/11986822/google-two-factor-authentication-improvements-features