October Cybersecurity Tip – What Is Two-Factor Authentication?

Cybersecurity - Stay safe on the Internet!

By Virtual Ability Member Orange Planer

What is it?

Two-factor authentication (2FA) is a method of better protecting your assets. Assets could be money, property, information, stock certificates, etc. The idea is to use two ways of verifying who you are before you can gain access to those assets. For example, if you buy something at the store with a personal check, the value written on the check is the asset. The first method of verifying your identity is your signature, which you put on the check. The store clerk will request your picture identification, such as a driver’s license. The license has not only your signature (method one) but also your picture (method two) to make sure who is presenting the check and the picture on the license match.

There are three types of authentication you can offer to identify yourself to someone:

• Something you have: the check mentioned above, a credit card, your computer, or something else;
• Something you know: the PIN to your debit card, answer to a security question, a password, or something else;
• Something you are – that is, something physical about you (a “biometric”): a fingerprint, retina pattern, face, or voice.

If you use a debit card at a store, the asset is the money you are trying to transfer. The first authentication is something you have – the debit card. The second form of authentication is your PIN – something you know. Some smartphones can use your fingerprint – something you are – to use instead of a PIN. On some Windows computers one can set up Windows Hello. The asset is the computer. After setting up a secure password (something you know) a Windows Hello-enabled computer can use something you are (facial recognition or fingerprint) to complete the identification process.

How does 2FA work on a computer?

Perhaps you are trying to log on to a website or application. First you indicate with a username what you are trying to access – information in your account or access to your online game. Now you enter your password – something you know. With 2FA, we need a second way to identify yourself to the keeper of the information.

The most popular ways to do that are by receiving a text message on your smartphone (SMS) or using an authentication app on your smartphone. Popular phone apps are Google Authenticator, Microsoft Authenticator, Authy, and DuoMobile. All of these are available at both the Google Play Store and Apple’s App Store.

Which is more secure, text messaging (SMS) or an app?

Text messages are tied to your cell phone number. They can be intercepted through the cell phone network which can be hacked. Your phone could be infected with malware that sends information to a hacker. Your phone number could be hijacked by a hacker, who convinces your cell provider to transfer your phone number to another device. Some people synchronize their text messages with their computer (maybe with the Microsoft Your Phone application). If someone steals your computer and manages to log on to your account, they can steal your text messages. Lastly, if you cannot access your cell phone or if you lose cell service for any reason, you cannot access the text messages.

An authentication app uses Wi-Fi data and is extremely low bandwidth (does not use much of your monthly data allocation). This means the codes are not transmitted over your cell carrier and even if a hacker manages to transfer your cell number to another device, the codes stay with the app. If you lose cell service you can connect the phone to your secure Wi-Fi and the app will still work. Hands down, an authentication app is more secure.

Which is easier?

Text messaging is easier, no question about that. Authenticator apps, however, are not hard. They require a few more steps to set up. Generally, you download the app, scan a QR code supplied by the website, then enter the secure code shown on the phone into the website.

What happens if you lose or reset your phone?

Most websites with 2FA options also give you the option of downloading several backup codes, each usable once. You can use these as your second method of authentication to gain access to your account and then set up your authentication app.

Does using 2FA make my accounts secure?

There is no such thing as perfect security, so no, using 2FA does not make your account 100% secure. Think of it as making your account so hard to break into that hackers will go for easier targets. It is like securing your car with a door lock and a security alarm. Thieves might not be deterred by a lock.  Add the alarm and they will find an easier target.

Is using 2FA a hassle?

No. While it does require the use of a smartphone or email sent to you, the idea is to increase the security of your accounts. In combination with a password management program using 2FA is about as easy as one can get without taking extreme measures. The password manager fills in your automatically generated, complex password and the authentication app gives you a code to enter. Done deal.

How do I enable 2FA on my accounts?

Each website using 2FA has its own procedure. Check your account page, the site’s Frequently Asked Questions (FAQ) page for help, or search using the phrase “how to enable 2FA on xyz website.”