Passwords are hard. Most of us use passwords of varying length and complexity. That’s mainly to fulfill the requirements offered by every single site that needs you to make an account.
It goes something like this: “Password must be at least __ characters long, must have at least one (1) special character, must have at least one (1) uppercase letter, must have….”
You get the point.
After all that — after you’ve come up with the perfect password (and properly saved it so you don’t forget it) — you find out some malicious hacker’s been able to access your account anyway!
So… why do all that if it’s not that secure?
Passwords are an easy way for people to have some form of security for their accounts. It’s like having a door to deter people from coming into your house, even if knocking down the door or picking the lock would be really easy.
Now, the average person might not have a way to open that locked door. Good. But the determined person, one with the right tools and know-how to use them, and who has the time to do so, can figure out how to open the door easily. Whether the door is unlocked and you just need to turn the knob (think PAs$w0rd) or whether there is a lock that needs some experienced handling before they can gain access (think CorrectHorseBatteryStaple91) the average thief (malicious hacker, in this case) can usually eventually get through the door.
You need something additional that they won’t be able to get through (or at least not without a whole lot more difficulty), like a deadbolt. This is where Two Factor Authentication comes in.
What is Two Factor Authentication (2FA)?
Two Factor Authentication (stylized as 2FA) is an extra layer of security that makes it significantly harder for someone to access an account that isn’t theirs. This usually takes the form of the scenario below:
You enter your username and password. The next screen you see tells you to check your phone. Your phone will have a pop-up alert or a text message with a code. You follow the instructions on the new screen. You are able to access your account.
Without access to the phone, or access to the text message or email or pop-up that is on a different screen or device than the one you are currently on, an attacker has to try a lot harder and may even give up entirely on trying to access your account.
That is one of the simpler forms of two-factor authentication. In a later article, we’ll talk about multi-factor authentication and how it works. Multi-factor authentication (or MFA) is a broader way of describing 2FA, but two-factor authentication is specific because it requires only one of the following in addition to a password or PIN code:
- An email with a code or link that you enter to access your account
- A text message with a code or link that you enter to access your account
- A token with a code or other piece of information on it
- A token that must be plugged into your computer or device for you to access the account
- A fingerprint, eye/face scan, voice record, etc (this is called Biometrics, which will be explained in a different article)
Another way to say it is that there are 3 possible types of factors that can be used:
- Something you know (a password or PIN)
- Something you have (a token or code sent to a separate device)
- Something you are (a fingerprint or other biometric)
To achieve true 2FA, you have to use two of those factors. If you were to use 3 factors, then it would no longer be considered 2FA and would instead be called MFA. However, 2FA can also be called MFA since it is a subset of Multi-Factor Authentication.
In other words: 2FA is always MFA, but not all MFA is 2FA.
Let’s take a look at some examples
Most sites will ask for the credentials (username/password) and a code from a text/email or the credentials and a fingerprint. More and more websites are implementing mobile 2FA where they will ask for a username/password and then use the phone’s FaceID or fingerprint scan as the second factor.
If a website were to ask for a username/password and then ask you to answer questions that only you should know, that’s still not considered true 2FA, because both of those requirements are “something you know” and therefore, you are not satisfying two factors.
More than two of the above in combination is considered multi-factor authentication and it’s typically considered overkill for the average website. It’s usually a sign that the website is something important/official, or something private to a company or organization with the resources to guard it.
Why? Because implementing MFA requires more complexity and development resources than simply implementing 2FA. That extra step creates more user friction, and so it’s not typically used unless the risks outweigh the inconvenience and extra expense of implementing it.
The most common method of 2FA is by using a code given by a different service or device than the user’s account. This can take the form of previously mentioned emails or text messages, but there are also software applications (that are usually for mobile phones) that generate codes for a specific site. Some examples of these include services by Bitwarden, the dedicated app, Authy, and apps by Google and Microsoft, both called Authenticator.
There is the option to opt-out of two-factor authentication. This is by setting up a specific device as Trusted. Trusted devices are typically used often enough that two-factor authentication would be cumbersome. However, this comes with the disadvantage that if your device were to be stolen or maliciously accessed, your important accounts would have less protection.
Another way to opt-out of 2FA is by setting up recovery measures. These are email addresses, phone numbers, or recovery codes that a user can access their account with. These are typically used in case of forgotten passwords (which is why password managers are essential!) but can also be used as a replacement for 2FA. While this may seem like it creates a weakness in 2FA (and it does, to some degree), you’ll be really glad you have this option if you ever lose your phone or if it stops working on you.
Two-factor authentication is a security method that requires access to multiple factors to ensure an account is accessed solely by the owner of the account. It’s considered to be significantly better security than simply using a username/password combination for reasons outlined in this prior article.
As we saw, there are several forms of two-factor authentication, but what makes it two-factor (2FA) is that exactly two of those forms need to be used. Choosing the right form varies depending on the website or application, but either way, you should seriously consider enabling 2FA for your important accounts if you’re not already using it.