Why is 2FA a must? It’s simple. When you only use a username and password to authenticate to a system, nothing stops a hacker from trying to figure out your password and login as you. There are so many mechanisms to steal your password. Some examples:
- Brute Force. This is where the attacker just keeps trying different passwords until one works. This takes time, but usually works. Especially when you use simple to guess passwords.
- Phishing / social engineering.
- Hackers will send you an email that looks very real, directs you to a website that looks very real, and you type your credentials to login. Unfortunately, that email and website weren’t real and you just gave them your password.
- Ever see those Facebook posts that say “Date yourself, share the first car you ever owned” or “Where did you meet your wife”? Think about that for a minute. How many people use that as a “forgot your password” question? By posting those things on Facebook, you are literally giving the hackers everything they need to use the “forgot your password” link on your bank website and steal information.
With 2FA, a hacker having your password doesn’t really help them. They cannot login without the second factor.
The definition of Two Factor Authentication is pretty straight forward. Authenticating against a system requires two separate factors. Usually, this is something you know and something you have. The first is straightforward. In most cases, it’s your password. The second factor, something you have, can get complicated. It’s my goal in this post to help break down that wall of confusion and shed more light on some of the various options that systems will use and how they work.
Well this one is probably the easiest to explain. Biometrics is some “metric” of your body. Most commonly your fingerprint or face scan. Less commonly, retina scan. The major advantage to these types of authentication are difficulty in faking. Sure, if you’re a master thief bank robber and investing in a millions of dollar value bank heist, maybe. But in the real world, nobody is doing this. While the safest form, it’s also the least private. You’re giving the party that is doing the authentication copies of your biometrics. This can bring justified privacy concerns.
OTP/TOTP (One Time Password vs. Time-based One Time Password)
You are probably already using these and maybe you don’t know it. It’s the mechanism where you use an app on your phone, or you get a little keychain or a text message with a 6-8 digit code. These are very popular because they are extremely easy to support for both the application and the user. They are very secure and, in the case of TOTP, extremely unlikely to be hacked. The different mechanisms have slightly varying pros and cons, so I’ll go into those separately.
So the first type is one where you provide the application your cellphone number. When you sign into their system, you get a text message with a code that you enter that code to complete your login. The benefit to these are there are no new apps to setup, no complication, it just works. The primary downside is you have to provide cellphone number to the application, a potential privacy risk.
Very similar to SMS, some systems allow you to login by emailing you the code. Again, very simple and straightforward. Chances are the system already has your email address for other use cases, so you probably aren’t giving that system any information they don’t already have. The biggest downside to this one is that email is subject to delays, spam filtering and other mechanisms that can delay you receiving the email, thus delaying or even preventing your ability to authenticate. This is my least favorite option.
Hardware Token (keychain)
Much less common is a hardware token. There are 2 very different kinds. One is a token that has a display on it with a constantly rotating numeric code. You’ll usually find these from your bank or employer. The other is a hardware USB key, such as a YubiKey (link). These keys are extremely secure, however they have a lot of drawbacks for the average consumer. Setup can be complicated and requires your web browser to support them to work. The downsides to these options is the risk of losing them and the complicated nature of setting them up.
The final method I’ll cover here is using a TOTP app on your smartphone. It is by far the most common, has the best balance of security for both you and the system using them, and is very simple to use. First and foremost, you are giving the system you are authenticating against absolutely no information about you. No phone numbers, no emails, the authentication apps do not communicate with them, nothing. Your 2FA system is completely isolated from theirs. Secondly, you can install the app on more than one device, giving you redundancy. If you lose your phone you can use your backup device. Some of these apps even sync themselves across devices, so when you setup a new site on one, it syncs to the other.
There are a wide variety of Authentication Apps available on the market. The two most popular are Google Authenticator and Authy. The best of the best is Authy. First, it’s not Google, which is inherently a good thing. Google doesn’t have a strong track record for caring about your data privacy. Authy, by contrast, takes privacy very seriously. Additionally, you can create an Authy account and have your codes sync across devices. If you get a new phone or have to reinstall your Authenticator app, Google Authenticator starts from scratch. You need to manually reimport all your different TOTP codes. Authy, on the other hand, when using an account, will automatically restore everything for you.
The Bottom Line
We live in a world where everything is digital. Your bank, medical records, credit cards, mortgage, etc are all on the internet. Protected only by the authentication you use to protect them. You have to take the responsibility in protecting that into your own hands. Businesses generally do their best to protect your data, but when the easy way to get it is typing “firstname.lastname@example.org” in the username field and “password123” in the password field, you’re handing over they keys to your kingdom in a silver platter. Stop enabling hackers and thieves. Take the extra step and setup 2FA wherever you can.