By James Poole
Two-factor authentication (2FA) is used globally and in many different industries to improve security when accessing a variety of systems and services.
You may not always realise it, but 2FA is integrated into some of your daily activities such as paying for your shopping with a credit card and using a PIN code to authenticate the transaction, or even using an ID card to collect a parcel or gain entry to a building.
What is 2FA?
There are 3 main types for authentication:
- Something you have – a physical item you carry with you, phone, card, fob
- Something you know – knowledge that only you have, password, PIN, security question
- Something you are – your unique biometric information, fingerprints, retina, voice, or face
Any combination of these 3 types of authentication can be regarded as 2FA. Whether it is accessing your social media or bank account, if a form of 2FA is available it’s highly advisable to take advantage of this additional security.
2FA significantly increases the difficulty for an attacker to compromise an account or system. Let’s assume an attacker has managed to acquire your username and password (something you know) they would still require the additional authentication that you would physically have with you, whether it’s a code from the app on your phone (something you have) or fingerprint ID (something you are). This additional security though does not come at the expense of users experience.
2FA has progressed significantly since its original implementations, options such as hard tokens powered by a battery displaying a unique code that changes every 30 or 60 seconds, codes sent by SMS or automated phone calls have been superseded, with many more user friendly options.
Many systems including Microsoft 365, take advantage of an authenticator app on a mobile phone, the app can provide options of displaying a one-time code accessible when the phone is unlocked or behind an additional PIN or password, or more advanced apps are now able to provide a “push to accept” feature.
When a user tries to access a system, they would normally be required to access the authenticator app on their phone, generate a one–time code, and then enter this code to authenticate. The user then simply gets a notification message on their phone with the option to either permit or deny access to the system. This makes for a very simple and user-friendly experience.
2FA is a great way to add additional security to your accounts and systems, however it is not a silver bullet. Hackers and malicious groups are increasingly taking the time to create convincingly accurate phishing pages and e-mails mimicking those of the systems they are trying to compromise, but in combination with user security training, and other security tools such as e-mail anti-phishing and web security systems, 2FA can give you and your company the best chance of avoiding successful attacks.