Skip to main content

What is Two-Factor Authentication?

Two factor auth 750x426

In this installment of Raising Security Awareness, One Security Term at a Time, I'll explain two-factor authentication; how this improves the security of your online accounts or logins, and where you'll find two-factor authentication in use today.

Begin at the beginning: What is authentication?

Authentication is a security term for demonstrating that you are who you claim to be. The formal language used to describe this activity is "verifying your identity".  Throughout military history, sentries posted at a military encampment would challenge anyone who approached to say the password or watchword before admitting them to the camp. Today, we commonly use typed passwords to verify our identities. In both cases, the password is the single authenticating factor required to access a login, email, bank, or online merchant account.

Passwords have proven time and again to be vulnerable to attacks. They can be guessed, stolen, intercepted or even traded away for candy bars. Entire databases of passwords have been breached, and such breaches are occurring altogether too frequently.

What if that stolen password wasn't the only "factor" an attacker needed to access your account? Suppose he needed something else?

This is the principle behind multi-factor authentication: In addition to knowing a password, you must use something else to demonstrate that you are who you claim to be - and not someone who's stolen a password.

Factors: Something You Know. Something You Are. Something You Have.

A password is something you know. But, as we've established, others can learn it or steal it.

A biometric – your fingerprint, iris, facial image, voice pattern, even your DNA – are things that you are, and these are uniquely "you". Today, many tablets, mobile phones or laptops have biometric readers as a second or substitute authentication factor. However, biometrics are less common as a second factor for network, application or account logins as many people are reluctant to share something as intimate as a biometric for every account they create. The reasoning behind this is simple: ,the more "copies" of your biometric, the less unique it becomes and each database where a copy exists is a potential target for an attacker.

Today at least, people appear to be more willing to use something they have – a mobile phone or a special hardware device called a security token – as a second factor for authentication. With two-factor authentication (also called two-step verification), you must demonstrate that you know the password and that you possess the token before you are allowed to access an account or service. You typically do this by responding to a challenge: a popup or web form asking you for a number that is displayed on the security token or for a number sent as a text to your mobile phone. The combination of password and security token (phone) is more difficult for an attacker to obtain. This makes accounts that use two-factor authentication more resilient to attacks.

Sounds Good! Sign me up!

Many corporate or merchant accounts, online financial services, social networking platforms ICANN accredited domain registrars and even crypto-currencies offer two-factor­ or token authentication. A reasonably current and accurate list of sites and services is hosted at https://twofactorauth.org/. I encourage you to check the list, see where you can use two-factor authentication, and take advantage of the added security it provides.

Comments

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."