SECURITY TIP: Two Factor Authentication

Category: Security

Okay, I'll admit this sounds geeky, but it’s important. Two-factor authentication isn’t all that complicated, and it can save your bacon from hackers and identity thieves. Read on to learn more about this online security technique that I'm strongly recommending for PC, Mac and mobile users...

What is Two Factor Authentication?

If you venture beyond your web browser's start page, you’ve probably seen the phrase, “two-factor authentication” by now. Sometimes it's referred to as "two-step verification," "login approval," or "enhanced login security." Bottom line, it's a big improvement on the username/password method of gaining access to online accounts. And it's something you need to know about.

An ever-growing number of Web services providers, large and small, are offering it; Google, Twitter, Facebook, Microsoft, Apple, and online banking sites are just a few examples. What is two-factor authentication (abbreviated 2FA); why do these corporations want you to use it; and when do you really need it?

First, let’s see what one-factor authentication is. You go to a Web site and enter your username and password. That’s two factors of authentication, right? Well, no. Your username is typically public, and is not guarded like a password. What you know (the password) is really only one type of authentication factor.
Two-Factor Authentication

Two Out of Three Ain't Bad

Ever wonder if someone is looking over your shoulder while you login to Facebook or Gmail at the coffee shop? It happens. But here’s the really cool thing -- with two-factor authentication, it doesn’t matter if someone guesses or steals your password. Let me explain further. Two-factor authentication systems require two out of three things to authenticate you:

  1. Something you know, such as a PIN or username/password combination
  2. Something you have, such as a phone, ATM card, or an electronic key fob
  3. Something that is part of you, such as a fingerprint, retina pattern, or face

2FA is hardly new. ATMs employ it; the card is what you have and the PIN is what you know. Self-service gas pumps require a credit card and the ZIP code of its billing address. But 2FA is new to the online world, and it’s meeting the resistance of laziness.

Many people don’t even want to bother with one-factor authentication. They let their browsers or third-party password-management software store usernames and passwords, and enter them automatically. Of course, that means anyone who uses your Web browser while you’re not looking can get into your online accounts. Password-management software is generally protected against unauthorized use by a single password; if that’s stolen, it’s as if someone stole your key ring with all the keys to everything.

Many Web sites have countered this sloppy security practice by creating Web pages that won’t accept auto-filled passwords; your username may be filled in but you will have to type the password. My bank puts form fields for username and password on separate Web pages, defeating auto-fill. I think we can expect similar enforcement of 2FA if “consumer re-education” doesn’t work.

A recent real-world example of a business failing to use two-factor authentication cost a casino one million dollars. Although it happened in an offline context, their blunder resulted in two men named Kevin Lewis being awarded a huge payout.

Prevention of fraud and litigation is also motivating online businesses to enforce 2FA. Identity theft is rampant and rising; when a merchant is defrauded, he often ends up eating the loss. Lawsuits by consumer victims against business victims seek to shift responsibility from the one who was careless with a password to the one who “should have done more” to protect against fraud.

Tangible 2FA tokens, such as RFID chips and USB dongles, have been tried without success (outside of businesses where security is taken very seriously). Online merchants, banks, and other consumer-oriented businesses are now turning to tokens of pure information delivered via the nigh-universal medium of text messaging.

Your Phone is a Factor

If you sign up for 2FA with such a company, you will have to register a mobile phone number with the firm. Then, when you enter a username and password, a text message containing a PIN or short password will arrive on your phone. Enter that code and you’re in. The phone, which is presumably in your possession, is the second, tangible authentication factor.

Google offers two-step verification for Gmail and other Google services. If you turn this option for Gmail you’ll need to enter your username/password as usual. You’ll then be prompted for an authentication code before the login can be completed. The code comes from Google Authenticator, an app for Android, iOS, and Blackberry devices. This time-sensitive code can be generated even if you’re not online, and you can also print a list of codes for use when you don’t have your phone handy.

Yes, it’s a minor nuisance to enter the code. But you only have to do it once every 30 days, or if you’re logging in from an unfamiliar device or location. Just remember the major benefit: even if someone obtains your password, they won’t be able to login to your account without that verification code. And in order to get the code, they’d also have to steal your mobile phone.

Whatever device you normally use to connect to a Web service may also serve as a second authentication factor. Facebook, for example, will optionally store the IP address, MAC address, and other uniquely identifying data about your usual device. If you attempt to log on from a different device (or geographical location) you may be challenged with additional security questions. Some online banking sites do this as well.

The minor hassle of two-factor authentication is a trivial price to pay for the increased security of your identity and online assets. Get used to it; it’s the next big thing.

Your thoughts are welcome on this topic. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 12 Aug 2013


For Fun: Buy Bob a Snickers.

Prev Article:
Time to Replace Your Power Supply?

The Top Twenty
Next Article:
Geekly Update - 14 August 2013

Most recent comments on "SECURITY TIP: Two Factor Authentication"

Posted by:

Talley Melear
12 Aug 2013

I feel there has to be a better way to protect your accounts with all the technology that is available. Sending a text pin number to a cell phone is not a good security. With all the crime that is going on, if someone is being forced to sign into their checking account why would they not know to wait for the pin number to be added!! The other reason is in many ways minor but can be a factor for people surviving on a fixed income. Most cannot afford unlimited text messages so the few they do have would not allow for text message security pins.


Posted by:

Butch
12 Aug 2013

If I have read your information correctly, 2FA is based upon one's having a cell phone. Is that correct? If so, what about the folks who do *not* have a cell phone, can't afford one, don't want one, etc.????

EDITOR'S NOTE: Most (all?) of the phone-based 2FA systems will send a voice call instead of a text, so a mobile phone is not required.


Posted by:

Al Rabold
12 Aug 2013

Well, if a lot of businesses choose to text a pin to mobile phone I guess I won't be doing business with them. I refuse to own a cell phone!


Posted by:

Carole
12 Aug 2013

I am very leery about a lot of things that I receive or see online. That also applies to phone calls. One nice thing is that you can now sign up with most banks and credit card companies to have them notify you instantly via email the moment a bank has made a payment on something has been charge on your credit card account online. I think everyone should take advantage of this feature. This can help avoid ID Theft.


Posted by:

Tom Van Dam
12 Aug 2013

I take it from your article that you don't like Password Software that fills in forms. I always thought these were better because keyloggers couldn't capture the information. I use one at home and work (Roboform). I don't use it at cafes, etc., just my personal computer, although it isn't supposed to store anything on the PC itself when using the ToGo version.

I know our Business bank using the multiple login on different screens along with a picture that I had chosen. I know the picture is supposed to tell me I am at the correct site but after awhile I seem to ignore it.


Posted by:

RandiO
12 Aug 2013

I have come up with a problem for being able to use 2FA:
Since I never use the same password for more than a single site, I am usually relying on OpenSource KeePass Password Safe (http://keepass.info) to store such credentialing information. Unfortunately, not even KeePass has the functionality to be able enter/store a second password/code. Maybe they will step-up in the next release and provide a second entry field for accommodating 2FA.

Thank you.


Posted by:

Jerry
12 Aug 2013

So am I going to be forced into buying a smart phone or signing up for a text service. Expect some resistance from luddites.

EDITOR'S NOTE: Most (all?) of the phone-based 2FA systems will send a voice call instead of a text, so a mobile phone is not required.


Posted by:

ManoaHi
12 Aug 2013

I disagree. Two factor authentication and two step authentication are not the same thing. You are correct that two out of the three: something you know, something you have, something you are, is correct. But multiple of a single factor is not 2FA so those two terms are not synonymous.

Take for example: Apple where you have two step authentication, you notice that they do not say "two factor", is actually two passwords. Ok, granted, it is hard to memorize the code that Apple gives you, but it is just another password, which you can commit to memory (I have done that already and I also memorize my credit card numbers and passport number), this makes it two of the first factor, so it is something you know, but twice.

LogMeIn also uses two of the first factor (password to get into LogMeIn, password to get access to your system, it is not two factor authentication. You can have multiple of each one, for example you can have a lot of hoops you need to jump to, but if they are all passwords, it doesn't matter it is still single factor.


Posted by:

RandiO
12 Aug 2013

For all those luddites [self included] who are still refusing.resisting the temptation to own cell/smartphones; an alternative is to get a FREE googleVoice (gV) phone number. gV will allow you both the ability to text as well as to have incoming gV phone calls to be routed to your regular home phone. Yes, it is one additional stat that Google will have on you but this is the 21st century and we must pick the right wars to fight...


Posted by:

Loren
12 Aug 2013

Interesting subject. I like the idea but not using my cell phone. I am amazed at the number of your readers that don't have or want a cell phone.
My banks use double verification but all on screen. Is that not secure?


Posted by:

dwream
12 Aug 2013

I don't mind the bank asking me "security questions" when I log on from an unfamiliar computer, but why won't they let us write our own questions? Some of the "canned" questions are too predictable ("Mother's maiden name".) Some are impossible to remember ("Who was your best friend in grammar school?") Writing my own, I'd ask questions I could remember, such as, "What class did you flunk your Freshman year in college?" Or, "Who was your first fiancé?"


Posted by:

Bruce
12 Aug 2013

There is very simple way to have a "secure" (level) password without using software that may be lost (like a key fob) or depending on your card/phone from being stolen/used without your permission.
You do that by generating a Simple and Strong unique password for each site you use each time you use it.
You can generate a password from 10 to 20 characters each time you use a site.
It's done by using the concept public/private key.
You think of a unique (to you) set of letters, numbers and special characters and define how you use the (any) site's (public) info as part of it's unique password.
You can be as simple (for a store login) to very complex (bank/credit card login).
Bruce(at)eMinistryTools(dot)org


Posted by:

Migret
12 Aug 2013

A bit pointless having "2 FA" identification for Google etc if they demand you have the same password for all their sites,& request that it be entered automatically.M


Posted by:

RandiO
12 Aug 2013

oooops, I was mistaken, there is indeed a 2FA (OTP) plug-in for KeePass.
https://bitbucket.org/devinmartin/keeotp/wiki/Home
https://bitbucket.org/devinmartin/keeotp/downloads
KeeOTP
This is a KeePass plugin that adds support for two factor authentication into other systems using TOTP (Timed One Time Passwords). It stores TOTP secret keys in the KeePass database and generates TOTP codes from the key within KeePass. This is compatible with Google's 2-Step Verification and Amazon AWS MFA and Dropbox. It will work with most other RFC 6238 compliant TOTP
implementations as well.


Posted by:

Nigel
13 Aug 2013

Where we live on the side of a hill cell service is very sporadic because the antenna is just over the crest of the hill and we get, or don't get, the very bottom of the transmission lobe. So using a cell phone wouldn't be very successful and in a different location a landline wouldn't either. Plus the cost of roaming if one is in Europe, say, instead of home in Canada is another problem. One credit card site I go to asks for a user name rather than email address plus password which I guess is a bit better.


Posted by:

Angela
13 Aug 2013

I like the idea that banks/credit card companies text you or email you whenever the account is being used. I've had the credit card people call me when I tried to use my card in a different city.


Posted by:

Carole
13 Aug 2013

Angela, I have had my credit card number stolen about 5 times. They probably didn't like the idea that they had pay out over $25,000 because of fraud charges on my account, along with millions or billion of dollars to have had the same thing happen to them. Call your credit card company and bank to see if they offer this feature.


Posted by:

Ron B
28 Oct 2013

I would hope the text messages arrive quickly. It's not unusual for my texts to my wife's phone on another carrier to take several hours for delivery. Credit cards here in Australia use an in-built microchip for security but petrol pumps don't ask for postcode like they do in the USA (my CC won't work on US pumps as my postcode is 4 digits and not recognised).


Posted by:

Brummagem Flash
12 Jan 2014

I have to report a failed link on "cost a casino one million dollars" in this article. I got error message on website; so I went to www.wcpo.com/news and searched: "kevin million casino" which found the required story in first place.

The url for the result is:
http://www.wcpo.com/news/local-news/hamilton-county/cincinnati/downtown/horseshoe-casino-cincinnati-blunder-nets-two-kevin-lewises-1-million-each

I hope that helps. To save excessive reading time; please accept my simple thanks, in place of the voluminous approbations your work deserves.

EDITOR'S NOTE: Thanks, fixed now!


Posted by:

James
21 Jan 2014

I use "Last Pass" with a YubiKey(Yubico.com), a small USB dongle. I enter my master password, then the YubiKey sends an ID code and a unique one-time password.
So if I'm in an internet cafe overseas and a keylogger steals my Master-PW, the criminials still can't access my Last Pass account. Its cheap and easy to carry and you can have as many "keys" as you want.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- SECURITY TIP: Two Factor Authentication (Posted: 12 Aug 2013)
Source: https://askbobrankin.com/security_tip_two_factor_authentication.html
Copyright © 2005 - Bob Rankin - All Rights Reserved