The password was invented in 1960 by Fernando Corbato. Most people still use it to secure most of their online accounts. On the flipside, hackers have also devised several ways of cracking these passwords. To deny such malicious attackers access to your accounts, consider employing two-factor authentication (2FA).
What is 2FA?
Two-factor authentication is a security verification process that was invented to keep user accounts safe, even after hackers cracked their passwords. As its nomenclature implies, 2FA relies on two authorization methods to give access to the secured account.
To gain unfettered access to a password-protected account, you only need the right personal identification number (PIN) or alphanumeric password. 2FA requires users to prove their identity a second time before gaining access. Usually, this involves submitting a security token or your biometrics, perhaps a fingerprint, retina, or facial scan.
Two-step authentication vs. two-factor authentication
The distinction between these two boils down to the number of factors of verification required to grant access. 2FA requires two different factors, while two-step involves verifying the same factor twice.
Is two-factor verification secure?
Single-factor authentication (SFA) tends to be insecure as passwords can easily be leaked to unauthorized parties. For example, if you use a difficult password, you could write it on a sticky note just in case you forget it. This note could then leak to an unauthorized user, who could gain access to your account or system.
Other than negligence, there are also numerous external threats to password-protected systems. Even when you have a strong password, an attacker can still breach it given enough time and resources. For instance, hackers could employ brute-force attacks, trying out several common passwords until they get access to your account.
Adding another layer of security means an attacker cannot access your account, even when they already have your login credentials.
How does 2FA perform and why do we need to use it?
Three factors constitute the information required to unlock 2FA systems. These are:
Something in your knowledge – This could be an answer to a security question, a personal identification number (PIN), or a password.
Something in your possession – This is usually a physical object only you have. It could be an ID card, a security token from a physical device, your phone, or even an authenticator app on your phone.
An inherence factor – This is generally something that can be used for biometric identification. The usual suspects are fingerprints, eye scans, voice, and facial recognition. Complex systems could also check your gait, keystroke patterns or speech characteristics.
Most 2FA systems use a combination of the first two factors, while others combine the first and third. It is not uncommon for high-security systems to use all three, but that crosses into multifactor authentication (MFA).
With this understanding, it is easy to see how 2FA systems are much afer than their password-protected counterparts.
Do you need a strong password if you have 2FA?
Typically, hackers hardly target specific people. They breach the accounts of those with weak security. If they find your account hard to crack, they’ll likely move on to an easier victim. That is unless you’re a billionaire or high-profile individual that’s attracted their attention.
Therefore, it is essential to utilize strong passwords even when you’re using 2FA. Additionally, when sharing passwords to your accounts, avoid using plaintext communications such as email or text messages. These can be easily intercepted, leaking your passwords.
Rather, a much safer method would be to utilize a password manager. Duckist, one of the best of its kind, lets you encrypt the password right on your browser before sending it. This ensures that only the intended recipient can see it. What’s more, after they view it, the message automatically self-destructs.
How secure is two-factor authentication?
2FA is, without a doubt, much safer than protecting your account using a password alone. However, it is not 100% secure, unlike most online things. If an attacker targets you specifically and they have enough time and resources, they could still breach your account.
For instance, they could install malware on your phone that copies the code from authentication apps like Google Authenticator. It would give them a few seconds to use the code before you key it yourself.
Alternatively, they could hack your mobile operator and convince them to transfer your mobile number to them. This way, when you're sent a verification code on SMS, it goes to them instead.
Another alternative would be a social engineering hack called phishing. Let's take Gmail's two-factor authentication, for instance. Here, the attacker would impersonate a Google employee, contact you and inform you that you're about to receive an SMS code. They would then attempt to log into your account, prompting the code sent to you. When you send the code to the hacker, they will gain access to your Gmail account.
Does two-factor authentication prevent hacking?
If you're an average joe, two-factor authentication could save you from hacking attempts. As we've established, the amount of effort and time that goes into breaching a 2FA-protected system is quite extreme. Therefore, hacking would only make sense if you were a billionaire, celebrity, or sparked the hacker's interest.
Which services should you protect first with 2FA?
We all value our privacy, as nobody takes kindly to the news of being hacked or monitored. Therefore, it is prudent to implement dual-factor authentication on all your online accounts, be they social media, your school portal or Social Security account.
Any service that requires highly sensitive personal information, such as bank details or Social Security numbers, should be secured using 2FA. These include banking apps and other transactional online accounts, such as trading accounts.
Examples of two-factor authentication
Two-factor authentication requires more than just something in your knowledge to access your accounts. Even if a system asks for your password, then proceeds to ask a security question, it is still considered single-factor authentication.
Here are the common factors required as the second authenticator in most 2FA systems:
When signing up for dual-factor authentication, you must submit and verify a trusted phone number. This number can then be used to send you a code every time you log in to your account. Once you enter your password, the code is sent to you via SMS. You can then enter the code to complete the login process.
Alternatively, you could verify an email address when signing up to 2FA. It works similarly to the SMS model, except the verification code is sent to you via email. This code can then be used to access your account after you’ve successfully keyed in the knowledge factor.
Several mobile apps can serve as the possession factor in 2FA. Let’s take the most commonly used one, Google Authenticator app, as an example.
Depending on the service you’re logging into, you’ll first be needed to key in your username and password. The next step will prompt you to key in a 6-digit code. Google Authenticator then generates a code that changes every 30 seconds. Entering this code will grant you access to your account.
Rather than send verification codes, other apps will prompt you to tap a key on your phone to allow access to your account. Typically, you’ll receive a notification of a log in attempt in progress, along with details such as the IP address and browser attempting access. You can then approve or deny access with a single tap.
Two-factor authentication has numerous benefits, the most important being added security to your password-protected accounts. However, even when you employ 2FA, you should always use strong passwords, as they can deter potential hackers. Whenever you need to send these passwords, consider using Duckist, the best password sharing tool in the market.