Why Two-Factor Authentication is A Good Idea and How it Works

Date Posted

finger typing on keyboard with graphic locks

As the digital age continues to expand and our every-day tasks (e.g., emailing, banking, online storage) continue moving to the cloud, there seems to be never-ending requests for new login usernames and passwords.

For cloud service providers (those that offer free email, banks, credit card companies, business sites) and your workplace, you likely need a login username and password to access your data. (And your home computer and personal devices should have login credentials enabled too!)

Password requirements vary from one cloud system to the next and in some cases, there are no format or length requirements. Herein lies the problem for you (and your workplace)—it’s an opportunity for hackers to gain access to your confidential information. 

Cloud application providers with no requirements for their password lengths, composition or expiration (i.e., length of time before you need to change your password) allow you to use the same login username and password at multiple sites. The problem with this is once one site is compromised and your password is exposed, hackers can start using your login info at other sites (e.g., targeting popular social networking sites).

So, although these providers might be easy to access, the risk is greater than the benefit of what you’re signing up for.

I like to see websites that require password length, composition or expiration, but of course this creates a new problem I see far too often: “How do I remember all my different login credentials?” 

One simple solution is to write them down and stick them to your monitor or under your keyboard. It’s probably not the worst solution to maintain your list, but also not the best since hackers and thieves know where to look for this info at places of business or homes.

There are also password protection/generation applications, but the best ones come at a price.

So, what can a business or each of us as individuals do? This is where a subset of multi-factor authentication, called two-factor authentication, helps prevent the unauthorized use of your login username and password. If you think of your password as the first “factor” then adding one more step is the second or “two-factor.” 

The “two-factor” can be based on something you “know” or “have” or “are” or somewhere you are. 

Something you “know” 

The simplest to setup and the most commonly available to consumers (non-business solutions) is the something you “know.” This is usually offered by many sites when you set up your account or enable two/multi-factor authentication. You chose the question and provide the answer. 

The questions available to you are usually ones that hackers can’t research to find the answer – so you will not see “what is your birthdate?” The questions are along the lines of where was your mom born? Where did you parents meet? What was the name of your first pet? Although it’s tempting to select a question that has an easy answer, keep in mind the easier it is for you, the easier it might be for a hacker to find, too.

Something you “have” 

This one is typically based on a code that you must enter after your password is accepted. There are cell phone applications and tokens (small devices that generate the code) that generate a code that you can enter after your password is accepted.

There are also services that can send a text or call your cell phone with a code you enter in order to access your account or in the case of a phone call, press a number to permit your login.

Something you “are”

This one is primarily based on biometrics, such as a fingerprint, retinal scan or a voice print. For example, many mobile devices and applications allow you to sign in to your account with your fingerprint.

Somewhere you “are”

This is also known as “geofencing.” This permits you to login (or not login) when you are in a certain geographic region. For example, an application that only allows you to login if you are located within a 5-kilometer radius of your place of business or house.

Okay, so enough technical information! Let’s get into why two-factor authentication is so important. 

Historical data shows us that hackers have breached some of the most significant cloud services and have gained access to millions of usernames and passwords. Sometimes, these same usernames and passwords are used at other sites by people like yourself, so it’s only a matter of time that one of the hacked username/password combinations allows cyber criminals into another application you have access to. (Remember: Hackers have nothing but time and use multiple computers to try username/password combinations on various sites.)

Enabling Two Factor-Authentication

Recently, cloud service providers have started to offer two-factor authentication (or in some cases multi-factor, which means more than one question must be answered).

This feature isn’t always turned on by default, so it must be enabled by you the “user” of the account. (Tip: Search in the service provider’s online help for two-factor or multi-factor or search on the web to see how to set up two-factor for your service provider.)

So, my recommendation to you is to enable two-factor/multi-factor authentication on all your personal accounts (e.g., email, bank, credit card, online shopping). After your password (the first factor), then the second, third and fourth factors (or more) are something the hacker will have a difficult time guessing or researching. For them, having only your login information won’t be enough to break into your account. Hopefully, they’ll give up and move on to the next person. 

Two-Factor and Working Remotely

In 2020, a large part of the workforce moved to a “working remotely” strategy. In some cases, this may have presented an opportunity for hackers to gain access to your corporate network. Guess what your first line of defense is? Two-factor or multi-factor authentication! Make sure to inquire at your place of business to see if they have enabled two-factor/multi-factor authentication and if so, enable it on your business account.

It takes a bit of extra work to use two/multi-factor authentication, but it takes less time than recovering your online accounts (and life) if you’re hacked.