Regular readers will know that we like it when online services announce that they’re going to offer two-factor authentication, also known as 2FA.
Two-factor authentication is also known as two-step security, two-step verification, and other phrases with “two” in them.
2FA can take many forms; these illustrative examples come from the financial services sector:
- When you draw money from an ATM, you typically have to present a physical card, and then type in a PIN. Neither is enough on its own.
- When you pay a bill online, you may need to type a password into your web browser, and then reply to a special message sent to your mobile phone. Neither is enough on its own.
The idea is that a crook has to crack two different security problems to hack a single account.
Even more importantly, in the case of online 2FA (like our bill payment example), the data used in the second authentication factor changes regularly, so today’s login messages won’t work tomorrow.
If there’s a login code generated by a special app on your phone, for example, the code will probably change every 30 or 60 seconds.
If it’s an SMS with a secret string of digits in it, every SMS will be different, and so on.
Convenience versus security
Yes, 2FA is a bit less convenient than just having a single login factor, such as a password that rarely changes.
But 2FA with one-time login codes is much less convenient for the crooks – often very much less convenient.
A crook not only has to crack two security problems, but also has to keep cracking at least one of them over and over again, every time you login.
Some examples of online services that have already crossed the bridge of 2FA support are:
The latest biggie to show signs of joining the 2FA club is Sony’s Playstation Network (PSN), although the go-live date is still a mystery.
Polygon quotes a Sony spokesperon as saying:
We are preparing to offer a 2-step verification feature… More details will be shared at a later date.
Evidence that preparation is well under way is a visual clue from the latest firmare upgrade to the PS3, tweeted by a Finnish fan called Tuomas Tonteri:
Tonteri inadvertently provided another good security reminder (handy for selfie-loving celebrities as well as the rest of us) about being careful of what you post:
I’m quite glad that the #PSN 2-step verification photo I took doesn’t show my reflection from TV. I was still in my underwear… True story.
As we’ve said before in respect of personally identifiable information: if in doubt, don’t give it out.
And as we’ve said about 2FA: if you can turn it on for the services you use, why not?