What is Two-Factor Authentication?

13 July 2015
By Dave Piscitello


In this installment of Raising Security Awareness, One Security Term at a Time, I'll explain two-factor authentication; how this improves the security of your online accounts or logins, and where you'll find two-factor authentication in use today.

Begin at the beginning: What is authentication?

Authentication is a security term for demonstrating that you are who you claim to be. The formal language used to describe this activity is "verifying your identity".  Throughout military history, sentries posted at a military encampment would challenge anyone who approached to say the password or watchword before admitting them to the camp. Today, we commonly use typed passwords to verify our identities. In both cases, the password is the single authenticating factor required to access a login, email, bank, or online merchant account.

Passwords have proven time and again to be vulnerable to attacks. They can be guessed, stolen, intercepted or even traded away for candy bars. Entire databases of passwords have been breached, and such breaches are occurring altogether too frequently.

What if that stolen password wasn't the only "factor" an attacker needed to access your account? Suppose he needed something else?

This is the principle behind multi-factor authentication: In addition to knowing a password, you must use something else to demonstrate that you are who you claim to be - and not someone who's stolen a password.

Factors: Something You Know. Something You Are. Something You Have.

A password is something you know. But, as we've established, others can learn it or steal it.

A biometric – your fingerprint, iris, facial image, voice pattern, even your DNA – are things that you are, and these are uniquely "you". Today, many tablets, mobile phones or laptops have biometric readers as a second or substitute authentication factor. However, biometrics are less common as a second factor for network, application or account logins as many people are reluctant to share something as intimate as a biometric for every account they create. The reasoning behind this is simple: ,the more "copies" of your biometric, the less unique it becomes and each database where a copy exists is a potential target for an attacker.

Today at least, people appear to be more willing to use something they have – a mobile phone or a special hardware device called a security token – as a second factor for authentication. With two-factor authentication (also called two-step verification), you must demonstrate that you know the password and that you possess the token before you are allowed to access an account or service. You typically do this by responding to a challenge: a popup or web form asking you for a number that is displayed on the security token or for a number sent as a text to your mobile phone. The combination of password and security token (phone) is more difficult for an attacker to obtain. This makes accounts that use two-factor authentication more resilient to attacks.

Sounds Good! Sign me up!

Many corporate or merchant accounts, online financial services, social networking platforms ICANN accredited domain registrars and even crypto-currencies offer two-factor­ or token authentication. A reasonably current and accurate list of sites and services is hosted at https://twofactorauth.org/. I encourage you to check the list, see where you can use two-factor authentication, and take advantage of the added security it provides.


Dave Piscitello