Ask The Cyber Security Expert: What is two factor authentication?
The Cyber Security Expert is always recommending people use two factor authentication for online services. It is a good idea, but what in fact is two factor authentication. After explaining about the clocks changing, British Summer Time, and coaxing him to a desk, we asked The Cyber Security Expert to explain.
What is two factor authentication?
When you log on to a website, or your computer at work, you generally do so through means of a username and password. The username is what identifies you as an individual user on the system, but it is not a secret. The job of ensuring that only you, the real owner of that username, can log on using that identity falls to the password. You keep your password secret so that no one else can pretend to be you. However as we now all know passwords can be unreliable – they get stolen, people use easily guessable ones etc.
So one means of providing additional assurance that you really are you when using online services is to use something additional to passwords. Using two elements, or factors, to identify users is called two factor authentication (often abbreviated to 2FA).
What does that mean in practise?
We security experts break down the problem of identifying users into three categories:
- Something you know
- Something you have
- Something you are
A password is something you (and only you) should know. ‘Something you have’ can be a special device (your bank might have provided you with something that generates a number which you need to enter to use online services) and ‘Something you are’ is, well, something you are. Your fingerprint or your retina for example. Combining these elements can provide a much stronger means of ensuring you really are you, and prevent bad people on the internet hijacking your account.
The most common combination, and easiest to implement for web sites, is ‘something you know’ and ‘something you have’. Mobile phones make a perfect ‘something you have’, meaning when you use an online service that has two factor authentication enabled you enter your username and password, and then are prompted to enter a code that has been sent via SMS to your phone. This means that even if your password has been stolen, it is not possible for someone to use your account without also having access to your mobile phone. If you’ve lost both then you’re having a really bad day.
Mobile phones aren’t the only way to do this. As mentioned above banks might provide you with a special device that generates a code you need to enter when you login. Google and other companies also provide services which websites can use for two factor authentication. However mobile phones work well as most people have them.
So I should use this then?
Absolutely. Lots of websites now support two factor authentication. There is a handy list here. For most of these services you only need to enter the additional code the first time you connect from a new device (when you get a new laptop or tablet). It is an easy to implement, low hassle means of significantly increasing the security of your online accounts. So go forth now and turn it on.
As always thanks for reading and please get in touch if you have questions.
Find us on twitter, or use the contact form.
The Cyber Security Expert