Two-Factor Authentication: An Extra Layer of Security

In two-factor authentication, the user may be required to enter a one-time code sent by the service that the user is trying to access.

In two-factor authentication, the user may be required to enter a one-time code sent by the service that the user is trying to access.

Two-factor authentication is a security verification process in which the user provides two means of identification. In most cases, one of the two factors will be something the user has, and the second will be something the user knows.

The first item is usually a physical token, such as a card, and the second is often a memorized code, such as a password. In other instances, such as when logging into a website, what you know is a password and what you have is a one-time code sent to your smartphone by the service you are attempting to access.

The idea is that the physical token is something that the user, and only the user, possesses. One example would be a debit card — the card is the necessary physical item, and the personal identification number (PIN) is the memorized info that the user knows to log into an ATM. The combination of dual security measures makes it harder for intruders to access bank accounts and steal from victims.

Two-factor authentication is sometimes abbreviated as "2FA" or "TFA" and is also known as two-step verification. It has become prevalent in the digital age.

Google, MSN, Twitter and Yahoo offer two-step authentication for user logins, and it’s also an option for other Web-based services such as Dropbox, WordPress and Amazon Web Services.

Two-factor authentication has become so commonplace that most users don’t even realize they are using it when they hand their debit cards to a clerk and punch in the codes.

[Related: How to Turn On 2-Step Verification]

Two-factor authentication can reduce the success rate of phishing expeditions, online fraud and identity theft. It requires more than just the victim's password, which, in the past, has been enough to give a thief access to information.

A downside to using two-factor authentication is that hardware tokens, such as a card or key fob, need to be issued, which can slow down business and cause problems for a company. If customers lose their tokens, requests for new ones can cause even more problems and hold up business processes. These physical items can become a hurdle when put in the actual hands of the users, as they are generally small and easy to transport.

Some companies use mobile phones, rather than cards or key fobs, as authentication devices. For example, you can set up Facebook to require, in addition to the typical username/password,  a single-use security code that can be sent to a user’s mobile phone. Whenever someone tries to access the account from an unknown browser, the security code is sent to the previously designated phone. If the legitimate user is the only person with access to the phone, this method will stop Facebook hacks and spammers.

However, two-factor authentication needs to be properly implemented. Apple, for example, offers it for iTunes Store accounts, but not for iCloud accounts, even though the same username and password will log into both.

An attacker who stole or cracked an Apple password could leverage iCloud to bypass two-factor authentication, such as by intercepting or redirecting password-reset messages sent to an iCloud email account. He could also read the user's email, erase his iPhone, get all his contact information and access his cloud-based documents.

And if the legitimate user hasn't yet set up Apple two-step verification for the iTunes Store, the attacker could do so instead, locking him out.

  • Darkk
    I try to use two factor authentication whenever possible. Normally the one time code is sent to my mobile phone for verification. Works pretty well.
  • pepe2907
    Well, I am asking myself - why they don't put 5 layers of security, or 10, why to stop at just two? Five layers of security will make things really more secure. The problem is - I'll lose half hour just to log in my mailbox /in which there's nothing interesting to anybody but me/ every time I want to check my new bunch of spam. And sometimes I need to check like 10+ times a day for work related messages, so making the login procedure more cumbersome really gets in my way.
  • amdfreak
    None of the multifactor authentication helps when NSA taps in directly on the company's server.
  • amdfreak
    @debramlopez786 => Is your sister doing striptease in order to make $66/hour on the internet ?
  • clonazepam
    I think the NSA's working on backdoors into the hardware now. That's probably why Comcast keeps trying to give me a newer, faster router hehe =)
  • teh_chem
    I'm always astonished that relatively mundane services like google and facebook have two-factor authentication, but none of my financial institutions implement it. Moreover, one of my banks doesn't even allow special characters in their password field, much less 2nd-factor authentication.
  • drizzt_215
    2FA can be a chore, but it's worth it. I really like the direction that modern two-factor companies like Toopher are going. I enabled them on my Lastpass account and I dig it.

    It feels like we have a bit of a chicken-and-egg problem where users don't know about two-factor and those who do know about it, don't like it. But, without a market--without user demand--companies are not motivated to offer improved services. As pepe2907 implies above, people want improved security without the hassle.