What is two-factor authentication?

With the threat landscape ever-changing, it’s essential to take measures both straightforward and sophisticated to safeguard your organisation. 

Cyber threats are only becoming more prevalent for businesses. A report in April 2020 revealed that as many as 16.5 million Brits fell victim to cyber crime over the past year, costing organisations a staggering £1.4 billion. The threat of cyber crime has only grown since, with hackers taking advantage of the mass shift to remote working necessitated as a result of the global COVID-19 pandemic.

While there are high costs involved in implementing the proper security measures, the costs of doing nothing – through losses and penalties – are many orders of magnitude greater.

One of the simplest, but most effective steps that businesses can take is implementing two-factor authentication (2FA). Password hygiene is essential to safeguarding your identity and personal data, with password reuse such a huge problem that cyber criminals are often able to use stolen credentials across multiple platforms in what is commonly known as a “credential stuffing” attack. For example, in November 2020, hackers were able to access 350,000 Spotify accounts by reusing login details from previous breaches. 

While it’s certainly more convenient to remember one or two passwords, repeating passwords across multiple services – be it bank accounts, email addresses or social media sites – leaves individuals vulnerable to exploitation.  

Implementing 2FA can go some way towards adding an extra barrier of entry for both yourself and also any third-party attempting to access your account. While security questions seeking personal details like the name of your first family pet, or mother’s maiden name, may go some way towards shielding user accounts, they can be easy to establish, often by rummaging through social media accounts. 

Adding the second authentication factor, whether this is by delivering a code by text message or email or by using an authenticator app, adds a far more robust protective layer. While it may seem arduous to jump through this hoop time and time again, the benefits of having these hoops in place are untold.

What is two-factor authentication?

Also known as multi-factor authentication (MFA) or two-step verification, 2FA is a fairly straightforward process of confirming your identity twice before access is granted to an account or service.

Broadly speaking, authentication falls into three categories: knowledge factors, possession factors and inherent factors. Knowledge normally means something the person has to remember, like a PIN or password, while possession means a secondary device, like a key fob, card reader or smartphone.

Inherent factors, on the other hand, use a person’s unique attributes, which are typically biometrics like a fingerprint, iris or retina scanning, or voice recognition. This is less common in general life and business but can be seen in more high-security situations as the second or subsequent level of authentication.

2FA uses two of these methods (or more in the case of multi-factor authentication) in order to verify the identity of the person attempting to access an account more thoroughly than a single factor can, with knowledge and possession factors being the most commonly used, leading to the mantra “something you know and something you have”.

How does two-factor authentication work?

Two-factor authentication invariably uses a second, independent device that functions as a buffer between the service and the login attempt.

Some services will supply their own keys, although this has become less common as companies have turned to developing their own smartphone apps or making use of SMS messages. Regardless of whether it’s a number-generating key or a confirmation message, the idea is that only the owner of the device will have access to the key and the ability to authorise the login attempt.

The additional security check normally appears after the user has submitted their username and password. Once the system checks that the account exists, it will then ask the user to perform an additional action.

Two-factor authentication has become ubiquitous with most online services that involve sensitive data, whether it’s banking or financial services, ecommerce, or business applications – although many other companies are starting to offer 2FA to stand out from the competition.

How that additional layer appears can vary from service to service. For example, most banks now have their own security tokens for online banking, often in the form of random number generators and usually offered through a smartphone application, although some users may still be using a physical fob. However, many online services have taken to using two-factor checks offered by Google, which allows them to embed an additional layer of security without the associated development work.

Getting through a second layer of security can be the slowest part of signing into a service, however, it’s an effective way of sifting out those trying to brute force their way into an account.

Is two-factor authentication safe?

Despite the benefits it offers, it’s worth noting that multi-factor authentication is not 100% secure. Microsoft recently warning businesses against using systems that rely on voice and SMS due to security concerns, warning that these methods use no encryption, making it easy for hackers to intercept them, and are more susceptible to social engineering techniques. 

For example, authentication via text message is vulnerable to interception and spoofing by hackers, particularly if they can hijack an account that supports a person’s mobile number. Various account recovery processes for lost passwords can also be harnessed by hackers to work around two-factor authentication. 

And sophisticated malware that has infected computers and mobile devices can redirect authentication messages and prompts to a device belonging to a hacker, rather than the legitimate account holder, thereby working within but also around two-factor authentication.

The most secure methods of 2FA use dedicated hardware tokens, such as a Google Titan Hardware Key or Yubico Key, which are difficult for hackers to spoof unless they steal one directly from someone. Google’s offering, for example, uses cryptography to verify a user’s identity and a separate URL to stop would-be attackers from accessing accounts even if they have the username and password. 

On the flip side, two-factor authentication reliant on SMS is probably best avoided if you are running an enterprise with a treasure trove of data.

While 2FA may not be quite the security silver bullet it was once expected to be, it’s still an important area of security and access control to keep in mind when procuring and setting up services for your business or personal life, because the more hurdles you can put in the hackers’ way, the less likely they are to target you.