Kate Russell on Flickr

This odd acronym offers security protection beyond your password. Here are a few examples of how 2FA works.

Experts compare computer security to a chain. Every link in the chain needs to be strong: good encryption, good network protocols, good passwords. An attacker only needs to break one link for the whole chain to go down. Naturally, they’ll go after the weakest link.

Turns out the weakest link in computer security is usually humans. Specifically, our passwords.

After all, who has time to remember 67 different passwords, each 25 characters long, each a jolly jumble of numbers and letters? No one, that’s who. Either we walk around with giant lists of passwords or we cut corners. We reuse passwords; we keep to the minimum length; we choose passwords that are easy to remember… like ‘password123’.

And since people aren’t a fan of getting hacked, companies came up with a novel idea to make up for the fact that our passwords are terrible: a second authentication factor!

‘Authentication Factor’ is just a fancy of way of saying ‘something that proves your identity’. In real life we have passports, health cards, and driver’s licenses. Online, we have passwords. With 2FA (2-factor authentication), instead of providing one piece of online ID, you provide two. That way, if one password is compromised, the other stands strong and unbroken.

Wait, a second password? Isn’t that worse?

The second authentication factor doesn’t have to be a second password. A security pin is a password-like 2FA scheme. Since a pin is usually between 4-8 digits, it’s a little bit easier to remember. However, a small pin won’t make user accounts hack-proof; it only adds a second, flimsier layer of protection.

Here’s some clever 2FA solutions:

Security questions are a concept you’ve probably seen before. Instead of inventing a random password, you draw on real-life memories: mother’s maiden name, favourite teacher, first pet. Let’s just hope your answers stay the same, and you’re not left wondering what your favourite band was 5 years ago when you first answered the questions.

Banking websites, and other servers that deal with highly confidential information, often track user data such as IP (location) or MAC (computer) addresses. If all your computer traffic comes from North America, and your account logs in from Asia, your bank might be a tad suspicious. Bonus: no extra work for users.

The most classic 2FA system is physical tokens: making users carry around a hardware device to provide 2FA. One example is the RSA SecureID token, which is a small, key-shaped electronic device that displays a 6-digit number. Each token is a associated with a single user account, and the number it displays changes every minute. So when logging into your account, you have to enter your username, password, and then the RSA token’s number.

On the plus side, it’s virtually impossible for an online attacker to get ahold of this token. On the minus side, if you’ve ever misplaced your keys or your phone or your lunchbox, chance are that you’ll misplace this token — and then you can’t login. Not fun.

In the last few years, the rising popularity of smartphones has made 2FA apps feasible. Gmail has one; whenever you try to log in, a single-use code is sent to your phone via text, voice call, or through Gmail’s mobile app. It’s a similar process as the RSA tokens, except Gmail harnesses a your smartphone.

Startup companies galore have jumped on this bandwagon. There are apps that use one-time passwords (OTPs) and apps with tap authentication; apps that go through WiFi and apps that use SMS.

None of the solutions are perfect. All involve more inconvenience for people, and none are foolproof; but they’re certainly better than nothing.

Would you use 2FA on your accounts? Is it too much trouble, or do you like the idea of extra protection? What do you think is the best 2FA solution?

Learn More

Multi-Factor Authentication


Google’s Two-Step Authentication Process


Create Safe Passwords (Public Safety Canada)


Choosing a Secure Password




@Deray’s Twitter Hack Reminds Us Even Two-Factor Isn’t Enough


Your cell phone number could be hijacked unless you add a PIN to your carrier account


Hackers are using this nasty text-message trick to break into people’s accounts


Google is making two-factor authentication a lot easier to use


Also In The February 2017 Issue

This cryptography method is based on the fact some tasks are relatively easy to do, but extremely difficult to undo.

There's a way to find out if your online passwords have been stolen, and how to prevent it.

Racket is a fun and easy programming language to learn because it's all about creating colors and shapes as you learn.

Networks are a mostly hidden but critical part of the internet.

Surveillance cameras, satellites, RFID tags, and social media activities all create unique digital footprints.

Developers deal with common problems in their work. Here’s are a few problems and how to overcome them.

Programmers use libraries but instead of books they create and share code, often for free, to help solve common problems.

These cards are a fun way to learn Scratch, look up how to do things, and make applications.

Another mysterious four-letter acronym that helps secure information online.

Dorothy Vaughn, Mary Jackson, and Katherine Johnson not only helped make history, they are part of a long line of women in computing

It's almost time to think about summer tech camps if your kids are interested. Here are a few questions to ask.

Your web browser knows (and tells) a lot more about you than you might realize.

When you pick a programming language to learn first, it helps to figure out what software you want to create.

This odd acronym offers security protection beyond your password. Here are a few examples of how 2FA works.

Links from the bottom of all the February 2017 articles, collected in one place for you to print, share, or bookmark.

Interesting stories about computer science, software programming, and technology for February 2017.

Receive an email announcement of new issues, sent every two months, plus a monthly newsletter with curated site content.

No, thanks!