We’ve all had this experience before. You want to login to your account on a website, so you enter your username and password. Then a message pops up asking you to enter a code that’s been texted to your phone. Or maybe you have to answer a security question: What is your mother’s maiden name? Who was your sixth grade teacher? What is your pet’s name?
If you’re like many people, you find this a hassle. “Why can’t I just enter my password and do what I need to do?” you may wonder. “Is this really necessary?”
What you’ve encountered is a security process called two-factor authentication (or 2FA). Two-factor authentication works by requiring users to sign into their account by proving their identity in two different ways. For example, you likely have to insert a debit card and enter a PIN to access your bank account from an ATM. The debit card is one factor—or one way of verifying your identity—and the PIN is the second factor. Typically with this kind of security, users prove their identity by having two of three types of credentials:
- Something you know, such as a personal identification number (PIN), password or a pattern;
- Something you have, such as an ATM card, phone, or fob;
- Or something you are, such as a biometric like a fingerprint or voice print.
But why do some websites and apps require this additional layer of security? Is it necessary, and most importantly, does it work?
The Need For Better Security
On our network security page, we describe the growing number of sophisticated cyber attacks being launched around the world. We’ve also written about scams and phishing schemes that target both individual users and big businesses. But you don’t really need us to tell you that security is a big deal. You see coverage on the news and social media about powerful malware and its ability to infiltrate your devices, and these stories crop up all the time. That’s because in the first six months of 2019, cyber attacks were up 200%.
The purpose of two-factor authentication is to make it harder for hackers and bots to access your accounts. By incorporating a second factor of authentication, 2FA can stop or significantly slow down bad actors.
Besides providing an additional step for hackers to go through, two-factor authentication strengthens your security because passwords really aren’t that safe. Using computers, hackers can test billions of potential password combinations in seconds, searching until they find one that works. Plus, most users don’t create very strong passwords, opting for something that is easy to remember—and easy to guess. And since 65% of people use the same password for multiple accounts, one of your accounts being compromised can lead to multiple accounts being compromised. Two-factor authentication attempts to compensate for our poor security practices.
Does Two-Factor Authentication Work?
There is no perfect fix for cyber crime, and 2FA is not without its own weaknesses. Seth Rosenblatt and Jason Cipriani of CNET point out that in 2011, security company RSA admitted that its SecurID authentication tokens had been compromised. These tokens were either physical objects (like fobs or USB sticks) or software that would generate a new authentication code every 60 seconds. This authentication code was the second factor of authentication needed for each site the users logged into with SecurID. With access to those tokens, hackers had access to users’ accounts all over the web.
However, the RSA breach was not a failure of 2FA, but the result of a phishing attack where an employee opened a file through his email, unleashing malware that fed data to hackers. Phishing attacks are one of the most common ways to work around two-factor authentication. Usually these attacks come in the form of emails that ask users to visit a website and login to their account. When users click the embedded link and enter their credentials, they are actually transferring their login information to bad actors.
Another problem is users or sites disabling this security feature. 2FA does create an extra step in the sign-in process, and for this reason some people choose to disable it. Other times websites disable their own two-factor authentication. For example, many websites disable 2FA when you begin their password recovery process, leaving your account temporarily more vulnerable. Hackers have work-arounds to exploit password recovery, which is why many websites now email you if someone attempts password recovery for your account.
Similarly, it’s common for users to save passwords in a browser like Chrome. While convenient, many of these tools are not secure and a malicious plugin can very quickly save and export all of your login information. And, of course, your passwords are also available to anyone who uses your computer.
The Argument For Enabling Two-Factor Authentication
2FA is imperfect, but adding that second authentication factor makes it much, much harder for someone to steal your information. And by practicing good security habits, you can greatly improve the effectiveness of 2FA. Here are some tips for better cyber security:
- Create strong passwords. Longer passwords are better, and a mix of numbers, letters, and special characters complicates password breaking for hackers.
- Use a password manager. These programs will generate and remember long, random passwords for you. Password managers make it easy for you to have a strong, unique password for each account you access without you having to memorize them (or write them on sticky notes).
- Be suspicious of emails and texts from unfamiliar users. If a text or email asks you to enter personal information, definitely double-check that the message is coming from a source you know. And never send personal information through email or text; go to the actual website to share information.
Want more information about online security? Then don’t miss our blog posts Safe Online Shopping Tips For The Holidays and Does My Android Device Need Virus Protection? They’re full of tips and tricks on navigating the internet safely with all your devices.
TracSoft takes security seriously, which is why we offer our clients state-of-the-art network security services. Using both hardware and software, we create layers of protection for your business network and provide 24/7 monitoring to prevent and control data breaches. Contact TracSoft today to find out how we can protect the data that drives your business.