Security in Plain English Series
What is Two-Factor Authentication?
Why Do I Have to Change my Password Every 30/60/90 Days?
Office 365 Phishing
What is a DDoS Attack?
What are Red, Blue, and Purple Teams?
“Companies like SecureAuth provide two-factor authentication when I log in, and my bank and other websites have started using it. What is it, exactly, and why do I need to take an extra step?”
Your bank, Facebook, GMail, Outlook.com and lots of other sites (including your company) are asking you to turn on multi-factor authentication (MFA) to make your account and your online activity more secure. At its heart, MFA is simply a way to help ensure that the person trying to log into a resource is who they say they are, by going beyond the username and password alone. As a result, you are protecting yourself from account takeover and identity theft where someone else fraudulently uses your login credentials.
2-step verification for your online accounts – How it works
A 2-step verification is a common login process where in step 1 you provide your username and password and in step 2 you enter an OTP code. Hence the name “2-step verification”.
- You go to log into a site or application. You provide your username and password (sometimes just the username).
- An authentication system checks your login request to see if it knows who you are already. The authentication system (sometimes called the “IAM system”) checks for several characteristics of your login attempt. These characteristics may include: the device you’re currently using, your physical location, if you are connecting over a Virtual Private Network (VPN), if you’re using an anonymizing service like TOR or others, etc.*
- If the IAM system cannot confirm that you are who you appear to be, or if there’s any question as to you being who you are, then it asks you to provide another factor (which is where Multi-Factor Authentication gets its name) to prove your identity. Factors range from a One-time Password (OTP) that can be delivered by text message or read from a smartphone OTP app, a push request sent to your smartphone or some other challenge that requires you have some other device in your physical possession.
- If the login screen didn’t ask for your password before, you enter it now.
- You’re successfully logged in.
*) Discrepancies in your location, IP address or device are all reasons for OTP prompts.
Two-factor authentication – It’s about What you know & What you have
Multi-Factor Authentication, or 2FA, is based on the idea that in addition to something you know (your username and password), you also prove who you are with something you have (a smartphone, etc.) or something you physically are (a fingerprint, facial recognition, etc.). The combination of these factors helps to ensure that the person typing in the username and password is who they say they are because they also have access to the additional factor.
The reason two-factor authentication is becoming popular is because usernames and passwords alone aren’t particularly secure anymore. Not only do people re-use passwords on multiple sites, but many also choose passwords that are either easy to guess or are short enough to be guessed by trial-and-error. Since a simple username and password combination is no longer enough to prove identity, looking for some other factor is a logical next step.
Why should I stop using passwords and use OTP instead?
We carry mobile or smartphones with us everywhere these days; so text messages with an OTP or a iOS/Android authenticator app that can receive a push alert are popular MFA options that don’t inconvenience the user. Smartphones are also quickly becoming capable of using fingerprints and other biometrics as identity factors – and as such, sites and applications are beginning to accept those for MFA too.
Keep me signed in – a path to less frequent OTP prompts
Note that some systems don’t check to see if they recognize you before prompting for two-factor authentication, so you might get challenged every time you log in. That’s inconvenient, so more and more systems are switching to a more adaptive authentication workflow. That means users go through fewer MFA challenges while not sacrificing the security of your account and data.
You may also see a “Keep me signed in” checkbox on the login screen. If the computer is your personal device (not a shared PC), go ahead and check this option. The “Keep me signed in” option will create a persistent cookie in your browser and your session will – for a period of time – remain active when you close and reopen your browser.
Logins with MFA or 2-step verification are becoming more and more popular as passwords get less and less secure. Therefore it shouldn’t be a surprise if sites and companies that didn’t use them before start using them now. If your workplace IT department needs you to use two-factor authentication for corporate access, they’re trying to keep your data and your identity safe. It only takes a few extra seconds, but can save the company millions by avoiding a data breach.
Security in Plain English blog series is aimed to help end users understand why IT Security enforces policies and how to best protect themselves in a digital world.