2FA or not 2FA? There really is no question.

You might have heard the term thrown around…but what does it really mean?

“Two-factor authentication” (or “2FA”) is just a general term that means that you have to do more than just enter a password to access a system. When we say “system”, we’re really referring to any web service, corporate network, email service – anywhere your information lives! Think of it this way: Many people secure their homes with nothing more than the regular door locks. Of course, a much more comprehensive solution is to use these in addition to a deadbolt, a watchdog, a home security system, monitored cameras, and so on. Similarly, 2FA uses multiple mechanisms to secure access to your information.

Chances are, you’re already using it in some capacity. A good example: You get a new phone and log on to Facebook for the first time. It tells you the device isn’t recognized, and asks you to confirm via text or email that this device is allowed to access your account. Some basic, limited level of two-factor authentication is built into many online services in this way; Amazon, Apple, Microsoft, Google all have some way to verify your identity beyond just a simple password. Unfortunately, it’s only optional – or sometimes just flat-out not available – for many others.

Generally speaking, systems authenticate humans based on one or more of three categories: “Something you know” (your password), “something you have” (a smartphone, USB keychain, etc.), and “something you are” (e.g. your fingerprint or voice). More specifically, sites and services use several different mechanisms for two-factor authentication.

Smart Cards/USB Keychains – These devices generate a random code that can then be entered at the time of login. This ensures that even if the password is compromised, an attacker must also have physical possession of the device in order to gain access. These are popularly used in aerospace and defense organizations to secure access to corporate systems, but have gained popularity in smaller businesses.

One-time passwords (OTP) – Under this mechanism, a login event triggers an email or text to the user, which contains a unique, randomly-generated one-time password that the user must also enter, and sends this password via email or text. Much like the token method, this method requires that an attacker not only have access to the password, but also to the user’s email or text.

Biometrics – This method relies on a fingerprint/handprint, retinal or voice scan to identify the user. While generally regarded as the most secure, the readers and systems are typically far more expensive and therefore not widely used except in environments where data is extremely sensitive where the cost is justified.

How can I use two-factor authentication to protect myself against attackers? Well, it depends on what it is you’re trying to secure. Obviously your corporate IT policy will dictate whether 2FA is used to access your company’s systems. However, your personal information can often be secured with simple, built-in 2FA mechanisms. Your bank and credit card website, social media accounts, and webmail accounts will usually have an option for “two-factor” or “multi-factor” authentication, or it might be called “enhanced security” or some other term. You might have to search the site’s security options for it, but chances are, it’s there. If you can’t find it, you can generally call a toll-free number for help.

So, should I use 2FA or not? The only real answer is: considering the ever-increasing number of data breaches happening today, you should use 2FA whenever possible. For corporate systems, many industries are now requiring 2FA under regulatory compliance guidelines. This means that, depending on where you work, someday soon you may well be handed a key fob to log into your computer or VPN. For your personal data, there’s really no question – if it’s available, use it. There’s no doubt, the extra steps involved in using 2FA are somewhat inconvenient. But, people are creatures of habit, and new habits form quickly. The implementation of 2FA measures will quickly become just another part of your routine, and your data will be better off for it!

DC