SEARCH

How-To Geek

HTG Explains: What Is Two-Factor Authentication and Should I Be Using It?

2012-06-19_124752

More and more banks, credit card companies, and even social media networks and gaming sites are starting to use two-factor authentication. If you’re a little unclear on what it is or on why you’d want to start using it, read on to learn how two-factor authentication can keep your data secure.

What Is Exactly Is Two-Factor Authentication?

How-To Geek reader Jordan writes in with a straight forward question:

I’m hearing more and more about two-factor authentication. I vaguely remember Google making a big deal about it last year, my bank recently offered a free key-ring thing for valued customers, and my roommate even has some sort of app on his phone to keep his Diablo III account from getting hacked. I get that it’s some sort of security tool but what exactly is it and should I be using it?

In order to understand what two-factor authentication is, let’s first take a look at what one-factor authentication is and compare it to both real and virtual models of security.

When you come home from work, pull out your keys, and unlock your back door, you’re engaging in simple one-factor authentication. The door and the lock assembly don’t care if the person holding they key is you, your neighbor, or a criminal that lifted your keys. The only thing the lock cares about is that the key fits (you don’t need two keys, a key and a fingerprint, or any other combination of checks). The physical key is the single confirmation that the person wielding it is allowed open the door.

The same level of one-factor authentication occurs when you login to a web site or service that simply requires your login and password. You plug that information in and it exists as the only check that you are, in fact, you.

Assuming nobody ever steals your keys or cracks/steals your password, you’re in good shape. While your keys being stolen is a fairly low risk, virtual security is more complex (and unlike online security breaches. your apartment complex manager, for example, would never accidentally copy all the keys and leave them with your name and address on a street corner).

Security breaches, sophisticated attacks, and other unfortunate but all too real aspects of working and playing in a virtual space necessitate improved security practices including multiple and diverse complex passwords and, when available, two-factor authentication.

What is two-factor authentication and what does it look like for you, the end user? At minimum two-factor authentication requires two out of three regulatory-approved authentication variables such as:

  • Something you know (like the PIN on your bank card or email password).
  • Something you have (the physical bank card or a authenticator token).
  • Something you are (biometrics like your finger print or iris pattern).

If you’ve ever used a debit card, you’ve used a simple form of two-factor authentication: it’s not enough to know the PIN or to physically have the card, you need to possess both in order to access your bank account via the ATM machine.

Two-factor authentication can take on a variety of forms and still meet the 2-of-3 requirement. There can be a physical token, such as those widely used in banking, where an over-the-air code is generated for you. To login you need your username, password, and the unique code (that expired every 30 seconds or so). Other companies skip the custom-hardware route and supply mobile phone apps (or SMS-delivered codes) which provide the same functionality. While not particularly common, you could also use two-factor authentication based on biometrics (such as security an encrypted file via password and fingerprint).

Why Should I Use It and Where Can I Find It?

Any time you introduce an additional layer to your security routine, you always have to ask yourself if the hassle is merited. Multi-factor authentication for a muscle car discussion forum that contains no personal information and is in no way linked to your real email or financial information is obviously overkill. Having a second layer of authentication for your credit card or primary email account, however, is just practical—the personal and financial trauma that would result from an identity thief or other malicious entity having access to those things far outweighs the minor hassle of inputting an extra bit of information.

Anytime two-factor authentication is available for a system and that system being compromised would cause you significant suffering, you should enable it. Having your email compromised opens you up to other services being compromised as email servers as a sort of master-key for access to password resets and other inquiries. If your bank provides a mobile authenticator or other tool, take advantage of it. Even for things like your roommates Diablo III account—players spend hundreds of hours building their characters and often spend real money purchasing in-game goods, losing all that labor and gear is an awful proposition, slap an authenticator on your account!

Not every service offers two-factor authentication, unfortunately. The best way to find out is to dig through the FAQ/support files and/or contact the support staff for the service in question. That said, many companies are vocal about their adoption of multi-factor authentication schemes.

Google has two-factor authentication both for SMS and with a handy mobile app—read our guide to installing and configuring the mobile app here.

LastPass offers multiple forms of multi-factor authentication including using Google Authenticator. We have a guide to configuring it here.

Facebook has a two-factor system called “login approvals” that uses SMS to confirm your identity.

SpiderOak, a Dropbox like storage service, offers two-factor authentication.

Blizzard, the company behind games like World of War Craft and Diablo, has a free authenticator.

Even if it looks like, based on reading the FAQ file of the company in question, they don’t have two-factor authentication, shoot them an email and ask. The more people that ask about two-factor, the higher chance the company will implement it.


While two-factor authentication isn’t invulnerable to attack (a sophisticated man-in-the-middle attack or someone stealing your secondary authentication token and beating you with a pipe could crack it), it’s radically more secure than relying on a regular password and simply having a two-factor system enabled makes you a much less compelling target.

Know of a service, big or small, that offers two-factor authentication? Sound off in the comments to alert your fellow readers.

Jason Fitzpatrick is warranty-voiding DIYer and all around geek. When he's not documenting mods and hacks he's doing his best to make sure a generation of college students graduate knowing they should put their pants on one leg at a time and go on to greatness, just like Bruce Dickinson. You can follow him on if you'd like.

  • Published 06/19/12

Comments (10)

  1. Johann

    Also Google’s authenticator is open-source so third-parties can use it freely (LastPass already do, as you mentioned). There’s code out there for you to use to quickly implement it on your own websites if you want.

    There’s also a PAM module so you can use it on your *NIX host logins too if you should so wish. I’ve even seen some ruby code that allows you to use in conjunction with SSH key pair logons.

    Not sure if anyone’s added it to an OpenID provider. That’d be cool.

  2. Bikram

    I’m using it ever since I got my first android phone. For both Google and Last Pass. Makes me feel a bit more secure online.

  3. dave in houston

    What good is google’s authenticator if they bend over everytime the feds want information on someone? The feds hold 5 aces an you don’t have a pair.

  4. Tim

    Facebook, at least for the Android App, has 2-Factor built in (if you want to use it). Open up your side bar of options and scroll down to “Code Generator.” It works just like Google’s Authenticator app. It’s great when when/if you don’t have cell reception to get an SMS with a code in it.

  5. MarkE

    Seems like many organizations are still struggling with what method is best suited to add additional layers of authentication for access and transaction verification without unreasonable complexity. I’ve noticed many of the major web organizations moving to the use of a telephone (mobile or other) as a form of a token where the user is asked to telesign into their account. This should be a prerequisite to any system that wants to promote itself as being secure. Nice article it needs to be stressed that strong passwords do not replace the need for other effective security control.

  6. Art€

    I know that Facebook use a 2 Factor in log facility, but I’m loath to putting any (primary) info on my Facebook page (read; account) I’m not paranoid but don’t want to put any info on about my mobile telephone #!!

  7. Terence Kam (eStrategyPro.com)

    Johann,

    Verisign’s PIP is an OpenID implementation that uses two-factor authentication:

    https://pip.verisignlabs.com/

    You can use an app (Android/iOS), physical card or PC software as the token to generate the one-time code to log in.

  8. Sec Geek

    This is in response to dave in houston’s comment about Google’s authenticator.

    Google’s authenticator still helps to protect you from attackers. There are far worse people out there than the feds who want to get ahold of your information. Therefore, even if Google does “bend over everytime the feds want information on someone” (fyi – I am not saying that this is a true statement, I am simply quoting your statement here), you are still better protected from the criminals out there who will do some real damage.

  9. Siniša Ivanek

    Hi,

    here in Croatia almost every Bank has some kind of two-factor authentication for their customers for e-banking. Eg. I have got an hardware token which I use to login to my account and to sign every transaction. Business customers got an smartcard or an usb token. Also some of them have mobile apps and some of them have an integrated token.

  10. Tom

    Check out Duo Security, too.

    They’re free for under 10 users, have integrations for blogs, SSH, VPNs, etc. And their apps are really simple to use:

    http://www.duosecurity.com/duo-push

Enter Your Email Here to Get Access for Free:

Go check your email!