No matter how many times we ask you to create a strong password, it just won’t happen. People have this super weird fascination with passwords like ‘password’, ‘bob’, and ‘12345.’ It’s so strange. It’s almost as if… you don’t care (gasp).
But it’s true. Most people don’t really care about the strength of their passwords. In fact, it’s almost like a race to see who can create the shortest, most basic password. The easy-to-remember passwords beat out more secure and complex passwords all the time. Except the winner of this race gets their password cracked, their email hacked. Then comes a slew of phishing emails and a nasty virus they couldn’t even destroy if they threw their computer into the fiery trenches of Mount Doom.
Can’t say we didn’t warn you.
However, today we aren’t here to talk to you about the fundamentals of password creation
(again). Because we know where that’ll get us. Instead, we’re here to celebrate the many wonders of 2-factor authentication – your one saving grace if you insist on using a ridiculously simple password. (For the record, we STILL recommend you create a strong password!)
Let’s dive in, shall we?
What is 2-factor authentication (2FA)?
People like to describe 2-factor authentication as “what you know and what you have,” and in the simplest of terms, that’s exactly what it is. It’s a method of verification that attempts to authenticate two separate items. So, instead of being required to just enter in a password to gain access to your account, you must supply a password and one additional form of verification.
What does 2FA typically look like?
Authentication of these two separate items can be accomplished in a variety of ways. The method most people are accustomed to seeing is a password and a security question (which can potentially be called two-factor verification). However, this variation of 2FA is considered weak because it’s “what you know and what you know” as opposed to “what you know and what you have.” Also, security questions are just as easy to crack as the traditional password – if not easier. Most security questions have a very narrow set of answers that people tend to stick to. For example, “What’s your favorite football team?” Or, “What’s your maiden name?” These answers are easy to guess, and easy to discover if you know where to look.
A more reliable and mainstream approach to 2FA would be text or email verification. Rather than being required to answer a security question, when you attempt to login into an account, you’ll be emailed or texted a random and unique verification code. To complete the login process, you’ll be required to enter in this code. Usually, you have to accomplish this task within a set timeframe, or the verification code will expire, and you’ll need to request a new one. This adds another layer of security to this method of 2FA.
When it comes to ultimate security, the authenticator app stands out as the undisputed champion. Unlike email or text-based methods, this approach binds the process to a physical device — your smartphone or tablet. When you try to log in, the app installed on your device generates a unique code for authentication. These unique codes expire even more quickly than those emailed or texted, so you’ll need to get the code and entire it into the verification box within about a minute, or wait for a new code to generate.
This pairing of the digital “what you know” (your password) with the tangible “what you have” (your device) results in a significantly heightened level of security. To gain unauthorized access, a cyber miscreant would need both your password and physical device, a combination that’s far less likely to occur. Even with a compromised password, the authenticator app remains a robust protective barrier.
Importantly, the app doesn’t require an internet connection to generate the code, offering constant protection irrespective of your location or network availability. In summary, the authenticator app takes 2FA to a higher security level, serving as a vigilant digital bodyguard.
How sophisticated is 2FA?
The most sophisticated forms of 2FA rely on biometric identifiers – eyes, fingers, and voice. But if we’ve learned anything lately, it would be that biometric identifiers really aren’t all that far-off anymore. Many of us have a fingerprint reader built directly into our phones, and you can even purchase something like a USB fingerprint reader for your laptop for less than $100.
So, to answer simply, it is very sophisticated, and becoming more so with every passing year.
Are there security concerns with 2FA?
There will be security concerns for anything and everything that touches the internet, and 2FA is not immune to this statement. Like we mentioned previously, hackers can easily guess security questions just as easily as they can a password. Some security researchers have claimed that a code texted to your phone can be intercepted through sophisticated social engineering tactics.
It wasn’t too long ago when the UK-based security company Suprema realized that their BioStar 2 platform, which uses biometric security for government organization, banks, and the police, had a security gap. All of the biometric data used to secure their clients was found on an unsecured database – fingerprints, facial recognition, passwords and identifying information were all out in the open for anyone to scoop up.
You can change a password, but you can’t change a fingerprint.
Even with that in mind, 2FA is still significantly more secure than a password like ‘password’ will ever be. We recommend using a strong password combined with 2FA to ensure your data and sensitive information is as secure as possible.
If you’d like to see which sites and apps offer 2-factor authentication, twofactorauth.org has a list of most of the major websites who offer 2FA with step-by-step instructions on how to implement this feature.