Two-Factor authentication is a key measure to prevent unauthorized access to your computer and networks. More and more services support it, and it should be enabled whenever possible.
To understand two-factor authentication and why it’s beneficial, we need to understand what a “factor” is. Simply put, a factor is one of three things:
- Something you know.
- Something you are.
- Something you have.
Passwords are the most common factor people know, and is something you know. By default, most sites only require a password, and therefore one factor. The issue with this is that passwords can be shared, compromised, or otherwise known.
Adding something out of the other two categories is what makes two-factor authentication work. Since it’s much harder to share something you have (like a cell-phone or security key) or something you are (like a fingerprint), it’s much harder to login with someone elses credentials without them knowing.
Why Two-Factor Authentication is Important
More and more sites are requiring two-factor authentication by default, and that’s a good thing. While it may seem arbitrary and inconvenient to users, it’s a very good thing to enable and can improve security in most cases.
If a person re-uses a password between multiple sites, it can be easy to figure out the password or simply look it up in a large table of previously disclosed passwords. Even worse, if the password is something easy to guess or common (like ‘password123’), it’s even easier to guess these passwords.
If two-factor authentication isn’t enabled, that’s the end of the road for your account’s security. The attacker can login without any trouble or extra work. If a second factor is required, they must have that as well which makes things much more difficult or impossible.
Types of Two Factor Authentication
The most common form of two-factor authentication is using something you have. There are a number of ways sites can verify some object is in your possession:
- Text a code to your cell phone. Since your cell phone number typically only goes to one phone, it ensures you have the phone in your possession. While common, this way does introduce new security issues.
- Ask for a code from an app. When creating your account, sometimes sites will ask you to use an application like Google Authenticator to generate a six digit code. These codes are called Time-based One Time Passcodes, and are generated using a secure key. Since this secure key is stored on your phone, it ties it to something you have.
- Ask for a physical security key. Security keys like Yubikeys or the Google Titan Key are small objects that plug into your computer. These devices store secure keys on them, and can transmit data to the website to verify this key. These are regarded as some of the most secure two factor methods, as the keys are very difficult to duplicate.
