This October is National Cyber Security Awareness Month (NCSAM).
So I thought I would write my inaugural Naked Security article on a topic near and dear to my heart: two-factor authentication.
What is two-factor authentication?
It is an authentication process where two of three recognized factors are used to identify a user:
- Something you know – usually a password, passcode, passphrase or PIN.
- Something you have – a cryptographic smartcard or token, a chip enabled bank card or an RSA SecurID-style token with rotating digits
- Something you are – fingerprints, iris patterns, voice prints, or similar
Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website.
So if someone manages to get hold of your password (something you know), they still will not be able to access your account unless they can provide one of the other two factors (something you have or something you are).
For example, at Sophos we use secure tokens with rotating six-digit codes to remotely access internal systems. Every time I want to establish a VPN session, I need to provide my username, a password and the six digit code appended to a PIN.
At home I use similar methods to access many online and personal resources. In the last year, many social media sites, including Facebook, Twitter and LinkedIn, have all added some sort of two-factor authentication.
Many of these sites employ SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).
The availability of mobile network service and the unreliable nature of SMS can make this difficult, however.
Some services allow you to use an authenticator app in addition to your password which present you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.
Authenticator apps can be great for signing into sites like Google, Facebook and Twitter even when your phone does not have service (mobile or otherwise). As a matter of fact, I used this very method to log into to WordPress in order to publish this article.
Google’s authenticator app can also be used to provide additional security with Secure Shell (SSH) connections.
Things can still go wrong though. There is Android malware in the wild that is specifically designed to steal your SMS verification codes in an attempt to thwart 2FA. This is one reason why a good Android security app, like Sophos Antivirus and Security, is a must.
So, should you use two-factor authentication?
In my opinion, the answer is an emphatic YES! Two-factor authentication is not a silver bullet but it does dramatically increase your security by making it much harder for your accounts to be compromised.
Unfortunately, two-factor authentication is not available everywhere but it is used by many of the most popular sites and services on the internet. Hopefully the ease of use and increased security provided by two-factor authentication will compel the rest to follow suit.
If you’d like to learn more about two-factor authentication, have a listen to this short podcast which explains two-factor authentication in more detail:
(15 April 2013, duration 16’25”, size 9.9MBytes)
And if you’re interested in reading other stories related to National Cyber Security Awareness Month, read the 3 essential security tasks you can do for your family today, 10 tips for securing your smartphone and our 10 topical security tales.