Security schemes have evolved over time, right? First, there was the PIN. Then, there was a username and password combination. However, there are significant limitations to these. The main one being that this is just information you need to “know”, and anyone who knows it, can compromise your security.
What is two-factor authentication?
Two-factor authentication is a step better. In fact, you already use it right now for at least one thing: your bank ATM card. Two-factor authentication requires that you “know” a piece of information, and that you “have” something physical. In the case of the ATM card, you must know the pin AND possess the card. Using biometrics can be used the same way. You “know” your username and password, and you use your fingerprint or retina to confirm that the correct human body is accessing the account.
Two-factor authentication is where you are authenticated by knowing some piece of information, and physically possessing something.
How can I use this?
The good news is, most major Internet sites now support two-factor authentication in one form or another, or are working their way towards that goal. The simplest way this is implemented is by sending you a text message on your phone. With Facebook for example, when I log in, I put in my credentials and I immediately get a text message with a code. On the Facebook login page, I must put in that code to finish logging in. This is called a One Time Password (or OTP).
In this case, I need to know my username and password, and I must posses my phone (and be able to get past the lock screen). This is two-factor authentication.
Is it just about text messages?
Great question! No, in present-day, there are at least 3 “apps” you can get for your phone to offer rolling “one time passwords” (OTP). So, when you log into an app or site, you would bring up your phone, switch to that authenticator app and go read the current code that it shows. It typically changes every 30 seconds.
If you’ve ever had a “SecureID” card to connect to your work’s VPN, this is the same concept, but on your phone.
On Windows Phone, there is great news – you can do it all from two apps:
What I mean is, two-factor authentication (as of this writing) is done one of four ways, and you can handle all four on Windows Phone:
- The app sends you an SMS text message with a code.
- The app requires a Microsoft Authenticator code
- The app requires a Google Authenticator code (you can get via Microsoft Authenticator app)
- The app requires a Verisign VIP Access code
In the case of Google, when you set up two-factor authentication (link below), I just lied and said I had an Android phone. On the next screen it gives you a QR code to scan. I scanned it with my Microsoft Authenticator app and it works! Here’s what the VIP and Authenticator app look like by the way (with some Photoshop magic):
The Verisign one you might use more for your VPN at work, but there are many Internet sites that use it too. You can browse that list here: https://idprotect.verisign.com
Where can I use 2-factor authentication?
Two-factor authentication is enabled differently for many sites and apps. Some send a text message, some require the Microsoft Authenticator code, some the Google Authenticator, and some the Verisign VIP Access code.
To turn on two-factor authentication for some popular sites, see the links below:
- WordPress (to use the Google Authenticator)
UPDATE 08-Mar-2014: I contacted some other vendors and got some responses back:
- Amazon.com – “At this time, two factor authentication is not available on our website. … As soon as your request becomes available, we will definitely let you know about this through our website.”
- Copy.com – “Two Factor Auth is on our road map. We don’t have a date for it’s implementation, but it should be coming.”
- Chase.com – “Chase already has the the Two/Multi Factor Authentication. … 1) Something the Customer knows – a User ID and password
2) Something the Customer has – a secure cookie and/or an activation code” (I disagree with this)
- Citi – can use your phone but also allows you to use your e-mail. Forcing me to use my phone (or something physical) is far more secure.
- Bank of America – pointed me here, which isn’t really the same thing. For regular login, they have the same thing as Citi and Chase, they optionally let you use a phone, but you can also use your e-mail to confirm your identity, which is much weaker.
So, we have super-secure two-factor auth for things like Facebook, but questionable security for our banks and credit card companies?! This seems a big backwards to me.
All I mean is, the strength of the security scheme is that you force the user to have something physical. When you give them multiple options, that also gives a would-be attacker multiple options. I’m sure as time goes on, the these security schemes will get better and more widely adopted…
Putting it all together:
Hopefully you see the value in this. If your password is ever compromised (and you do have a good password, right?!) – this makes it so a would-be attacker needs your username, password, and your phone to be able to log into your account.
Once setup, how this works is for any of the sites listed above, when you log in, you put in your normal username and password. After you click login, you are brought to a screen where you put in this extra code. In the case of Facebook, it looks like this:
Once you put in that code, you are considered authenticated.
If you don’t already, you should definitely have a “lock” password or PIN on every device your have. Stop now and go set one, now!
All of this is meaningless if a co-worker can pick up your phone, swipe to unlock – and has access to your e-mail AND your code generators!
The whole point of this is to give you another layer of defense. One of the worst things that can happen is for you to have an account compromised. Two-factor authentication makes it significantly more difficult for that to happen.
To underscore this, understand how important your e-mail account is. Your e-mail is how you reset your bank and credit card passwords. If someone compromises you e-mail account, one of the first things they can do is go to every bank and credit card website and try to “reset my password” – getting access to your financial world, and also locking you out.
I recommend, make a project of it. Go through all of your accounts (for any apps), go to the account settings screen and see if they offer a two-factor authentication option. Sometimes it’s called something like: 2-step verification, or text message verification and just turn it on. It only takes a few minutes.