Two Factor Authentication

With the every increasing list of major internet sites that have data breaches we are used to being notified that the password we use to access a site has been lost and must be changed.

One of the responses to this trend is for more sites to offer two factor authentication options to help reduce the chance of your account being accessed even if your password is lost or becomes known to malicious actors. So what are authentication factors?

Authentication Factors

Authentication factors are ways in which we can prove our identity as the authorized user. There are three different types of factors:

  • Something you know
  • Something you have
  • Something you are

Something You Know

Passwords are the prime example of using something you know as the means to authentication. By creating and then reproducing on demand the password you prove your identity.

The challenge question and responses are examples of extending additional items to the something you know list.

Some sites now ask you to select a picture that will be displayed to you during login and ask you to verify the same image appears in the future.

Another example are PIN codes used for access or banking.

In short, anything that is simply a memory test asking you to repeat a shared secret of some kind falls into the something you know factor.

Something You Have

The most popular method in the something you have category is your cell phone. This can take the form of a text or app on the phone that generates a number that you enter into the authentication prompt.

For decades companies have made key code devices that generate a constantly rotating number. The number would be entered into the response box to prove that you have the device in your possession.

These can also take the form of USB connected keys and software that likewise generate codes for authentication. Or can be detected as inserted in the computer automatically verifying you have the key allowing you to proceed.

The device you have to have is a sort of key and then needs to be treated as such. Remember that if the USB device is your key don’t keep it permanently on your laptop so if the laptop is stolen they also have the key. And with cell phones keep them locked by some method and turn off the lock screen display of text messages so the locked phone can’t be used as your key.

Something You Are

Biometric items all fall into the something you are category. These can be fingerprints, Face ID, palm readers, eye scanners and the like. These are often considered the most secure factor since they are part of your person.

But I’m sure we have all seen the movies where says cut off hands, remove eyes and otherwise mutilate people to use their body parts in the biometric authentication process.

Using Two Factor Authentication

Two Factor Authentication can be a powerful blocker in account take overs. So this is especially good to enable on accounts that have value like direct access to funds or access to high levels of administration authority.

In order to be Two Factor the authentication process must use two different factors in the process. So accounts that are using a password in combination with a question answer or a known picture are simply using two of the same “something you know” factor not two different factors. The weakest factor is “something you know” as this shared secret can be learned and repeated by anyone.

Also remember that something you know is weakened further when you choose to save those passwords for auto-login via web browsers. Now the stolen computer will auto-login with these secrets for the criminal. This can be mitigated by requiring a password to always unlock the computer screen combined with enabling full disk encryption on the device to make access much more difficult. But when doing these remember that many of your old passwords are likely lost in the numerous annual password breaches and dumps so be sure the one locking your computer is unknown to the world.

So the best practice here is to identify those most important accounts you have and enable the two factor option with these accounts or whatever other multiple challenge options are available. Banks, email and phone company accounts should be high on your list.