scorecard
  1. Home
  2. tech
  3. how-to
  4. A guide to two-factor authentication, the two-part security test for your online accounts and devices

A guide to two-factor authentication, the two-part security test for your online accounts and devices

Melanie Weir   

A guide to two-factor authentication, the two-part security test for your online accounts and devices
Tech7 min read
  • Two-factor authentication is a security measure that makes you pass two security tests before gaining access to your account or device.
  • As hackers and hacking systems become more advanced, experts say passwords alone are not enough to keep your data secure.
  • Many apps and websites give users the option to use two-factor authentication, but it's also something users can set up for themselves.

You can never be too careful with your information online.

Hackers are becoming more sophisticated, and while developers continually come up with new methods to make sites and devices more secure, hackers can still find ways around them. As a result, a password alone may not be enough to protect your important accounts from cybercriminals.

Lately, more businesses and services have been adding two-factor authentication as an optional feature for their online logins. Certain industries require two-factor authentication as a security practice, and most internet security experts would tell you that adding two-factor authentication is not only a good idea but an increasingly necessary step for ensuring your online security.

What to know about two-factor authentication

Two-factor authentication, also referred to as 2FA or two-step verification, is a method of confirming your identity by asking you to pass two security tests. It's a way for a site or a system to ensure that it's really you logging in and not a sophisticated robot or a hacker.

After you enter your password, you'll be asked to pass a second test, which will vary depending on the site you're using.

2FA forces hackers to come up with solutions to two unique problems, rather than one. It's also constantly evolving because hackers seem to eventually come up with solutions to said problems. One early form of 2FA was the security question, but years of predictable questions and answers left that method vulnerable to hackers.

Types of two-factor authentication

Things have gotten more complex since the days of the security question - hackers and robots have gotten more advanced, so security challenges have, too. There are now five common types of 2FA.

Text or voice-based 2FA

This type of two-factor authentication will usually prompt you to enter your phone number and choose whether you would like to receive a text message or a phone call to have your identity verified.

If you're logging in to a multi-use account, once you have done this once, your preferences will usually be remembered for next time, with your permission.

If you choose a phone call, an automated system will call your number and ask you to verbally confirm that you are logging in.

If you choose text, you will most likely be sent a text message with a link that will automatically log you in and redirect to the site or app's landing page. However, some older forms of this feature may simply send you a text asking you to send a reply text confirming that you logged in.

It's important to note that, even if you know a site utilizes this form of authentication, they will never ask you for information like your username or password over SMS or a voice call. If you are ever asked for this info, you should block the number immediately - this is a common phishing scam.

Additionally, if a site you use has an option to set up this feature and you haven't done so yet, you should do it as soon as possible, or set up some form of 2FA for that account immediately. If you don't, a hacker who was able to get in using only your password might be able to set it up with their own number.

Hardware tokens

Hardware tokens are the oldest form of 2FA out there and they are relatively uncommon today, mostly because they're expensive, easy to lose, and are, while still incredibly secure, not entirely invulnerable to hacking.

A hardware token is a device that generates a new, randomized code every 30 seconds. When you want to log into the associated account, you simply look at the device and enter the code displayed on it. With newer versions, you plug the device into your USB port and it enters the code for you.

Other tokens seek to authenticate your identity, but hardware tokens sidestep that issue entirely, operating under the assumption that whoever has it is already qualified to get into the system.

Software tokens

These tokens combine the best factors of SMS and hardware-based 2FA, while eliminating some significant issues each of the other methods face.

Software tokens work exactly like hardware tokens, as described above, but rather than using a physical device to generate a password, they're an application that you install to generate a password automatically.

These tokens are sometimes attached to specific websites; CAPTCHA is one method employed by many sites in order to confuse robot password hackers with a visual question. However, you can also download and set up your own software token application - they're an excellent and reliable way to stay secure online, and they work whether you're using a desktop computer, a smartwatch, or anything in between.

Push notifications

When you're logging into a website, chances are you're using what's called a secure connection. Basically, this means that, during the time your device and the site are communicating, the site is masking all of the communications involved to make them difficult for hackers to penetrate.

Push-notification 2FA merely takes advantage of this secure connection while you're using it. Essentially, when you log in, it sends a signal to the server to send a push notification with a unique one-time code that completes your login.

This is basically an improved form of the SMS-based 2FA outlined earlier - the difference is that this one eliminates opportunities for phishing scams to take advantage of unsuspecting users, and, more importantly, stops man-in-the-middle attackers from intercepting login links.

The only drawback to this method is that it doesn't work very well in areas with spotty internet service.

Biometrics

There's an even more secure way to confirm your identity than any of these 2FA methods though, and people have been using it since even before there were computers - we just didn't figure out how to implement it digitally until recently.

Once used as a sci-fi trope and associated with top-secret access, fingerprint scanners can be found on a number of devices people use every day, like phones and laptops. Other forms of biometric identification - methods of confirming your identity using factors unique to your biology - are also on the rise, most notably facial recognition.

Some organizations, especially apps on your phone that deal with money, like PayPal or whatever virtual banking app you may use, already use two-factor authentication, in a sense. If you have a phone that allows for fingerprint or facial recognition, these apps work with its software to allow you to store your username and password in your device, and have the device fill it in for you as long as it recognizes you.

Currently, the only issues with this technology are that not all devices have a fingerprint scanner or facial-recognition technology, and facial recognition is relatively in its infancy.

Why two-factor authentication is important

Two-factor authentication has become an increasingly important security measure as hackers and hacking systems have become more sophisticated over time. In fact, advanced hackers can easily use one unlocked account to unlock dozens, if not hundreds, of others.

These days, hackers aren't just sitting at the computer typing away, hoping and guessing at random numbers and letters. They have algorithmic programs that test hundreds of common patterns and combinations in seconds. If your specific username or password hasn't been guessed by these machines already, it's most likely sheer luck. Once one password has been guessed, chances are they'll be able to use that combo to hack into other common sites as well.

Related Article Module: What is cybersecurity? A guide to the methods used to protect computer systems and data

Even if you're taking all the proper precautions and using the smartest, most obscure usernames and passwords you can think of, making them unique every time, you're still vulnerable. You're just a little less vulnerable than other people with simpler ones - and even then, you're making way more work for yourself than you need to.

Human memory is faulty, and the more we get comfortable online, the more passwords we'll have to create and remember to stay secure. Setting up two-factor authentication frees you from that burden, while still giving you the peace of mind of knowing you're much more secure against cyberattacks.

How to enable two-factor authentication

If you're not looking to buy a hardware token or download and install a separate software token in order to protect your accounts, there's still good news for you. Most major websites, apps, and devices already have 2FA capability that you have the option to set up with your account.

Here's a brief list of guides on how to set up two-factor authentication on some of the most popular sites, apps, and devices:

What is a computer worm? Here's how to protect yourself from the replicating malwareWhat is spyware? 5 ways to protect your computer from being infectedWhat is a computer virus? Here's how to spot signs of viruses and avoid themWhat is malware? Everything you need to know about malicious software and viruses, and how to protect your computer

READ MORE ARTICLES ON


Advertisement

Advertisement