Two-Factor Authentication sounds like a really difficult thing to implement and use, but in reality its a simple idea to implement and benefit from. First, lets talk a little bit about Two-Factor Authentication and what it is. Authentication is the process by which you provide your credentials (like a username and password) as proof that you are who you say you are, and this information being verified and accepted as true. With this information verified, you are granted access to a system or resource that you would normally not have access to without proper authentication. In this example, we are talking about the most common type of authentication which is based on a single factor, your username and password combination, which are things that you know. With that out of the way, lets discuss Two-Factor Authentication.
Two-Factor Authentication is based on more than one factor of details you will need to provide to gain access. The normal factors are something you know, something you have, or something you are. In order for something to be considered as using Two-Factor Authentication, it needs to require two of the three types of factors. Commonly you will find passwords as something you know, key fobs or card-tokens as something you have, and biometric fingerprints or retina scans as something you are.
Why is Two-Factor Authentication necessary? In many cases, the information and networks that you find information security teams protecting are simply too valuable to proceed without taking every single precaution available. Having a single password for use as authentication is actually considered weak protection, given the possibilities available for Two-Factor Authentication. There are many risks to just using passwords for access to high value information or computer networks:
- passwords can be stolen, via keystroke malware, network sniffing (in unencrypted situations), and plain old “shoulder surfing“
- passwords can be guessed, via “easy passwords”, easy answers to “recovery questions”, or by brute force by trying every possible combination until the correct password is found
- passwords can be bypassed altogether, via advanced hacking techniques in some cases. A perfect example is a technique called “Passing the Hash“
Two-Factor Authentication makes it much more difficult to gain unauthorized access to a computer system or network because an additional factor of authentication is necessary for access. If providing a username/password combination AND connecting an additional key fob to your computer or reading a PIN code that changes every minute from a smart card is necessary to gain access to a computer system, that computer system could be considered much more secure than a system that does not have Two-Factor Authentication in place. In some cases, like to get access to a government agency that deals with computer information, all three factors are required. At that point, it becomes nearly impossible to gain unauthorized access to a system and this type of set up is incredibly more secure than just requiring passwords.
If Two-Factor Authentication is so useful and beneficial, why don’t I see it in use very often? In most cases it comes down to resources. Two-Factor Authentication takes time and expertise to implement, and then it takes users willing to do extra steps each time they wish to login to a system. Those two things are harder to come by than you may think, so often you will only find Two-Factor Authentication mandated in government or corporate situations. However, that is changing. Many banks and financial services are now offering Two-Factor Authentication in one form or another for their clients. As online identities become more and more valuable, some online services are building Two-Factor Authentication into their services as well. The most notable recent addition to this list is Google, who has this year announced a very creative two-factor solution via mobile phone text messages for all Google Apps and regular Google accounts.
In time, I expect to see Two-Factor Authentication become available as an option for many more online services and mandated by policy in many more corporate and government situations as computer security becomes more of a concern.