The Importance of Two-Factor Authentication (2FA)

With security breaches, digital crime and internet fraud continuously on the rise, the importance of safeguarding your information has never been greater. 

Many breaches are password related, and it’s not just major-brand companies or celebrities that are targeted. Hackers don’t discriminate.

81% of security breaches are due to weak or stolen passwords. (LastPass)

What is two-factor authentication?

In a 2019 survey by Cygenta of 1,000 people in the UK, 62% didn’t know what two-factor authentication was.

Two-factor authentication (2FA) is an extra layer of security added to your log-in process; such as a code sent to your phone or a fingerprint scan, that then verifies your identity and helps to prevent cyber-criminals from accessing your private information so easily. 2FA offers an extra level of security that increases the difficulty for cyber thieves, because they need more than just your username and password credentials.

2FA is a subsection of multi-factor authentication (MFA), an electronic authentication method that requires you to prove your identity in multiple ways before you are given access to an account. 

Two-factor authentication is so named because it requires a combination of two factors, whereas multi-factor authentication can require more.

Two-factor authentication requires that extra step — without 2FA, usually you simply enter your username and password to access an account, but two-factor authentication requires both something you know (your log-in details) and something you have (Eg. your phone). For example, if using a phone as your 2FA, once you enter your password, you’ll get a second code that is sent to your phone, and only after you’ve entered the code from your phone will you get access into your account.

This code is known as an authenticator, a passcode or verification code. Without the code you can’t log on, even if you know the correct password.

2FA – You’re using it already

Using a bank card at an ATM requires 2FA – something you know (your passcode) and something you have (your bank card).

Why do you need 2FA?

With the advanced techniques of hackers and slack originality of users with password creation, passwords alone are generally quite weak.

Cyber criminals have turned to automated processes that can go through thousands of password combinations in minutes, so they don’t even have to monotonously go through a guessing process, they can even sleep easily whilst the procedure is done for them.

So whilst the criminals are finding easier ways to hack, you need to use harder methods to prevent a successful attack. 2FA may seem like an added hassle, but without it you could be leaving yourself vulnerable.

If you add something you have to allow access to your bank account, a cyber-criminal who knows your password won’t get any further without having your phone, for example, when it receives the verification code.

By adding the extra security step means cyber criminals will struggle to access your account and move on to the next easier target.

How 2FA works

The factors of two-factor authentication are generally separated into three categories:

  • Knowledge: These factors require you to know something, like security a question, a PIN or a specific keystroke.
  • Possession: Something you physically possess, like a bank card that you need to insert into a device to gain entry.
  • Biology: Part of you to prove your identity, like a fingerprint or voice recognition.

What are the different types of 2FA?

There are indeed several types of 2FA available, all of them sitting within the categories listed above. Eg:

  • Hardware tokens: You need to have a physical type of token, eg a USB, to insert in your device before logging on. There are some hardware tokens that display a digital code (that changes – eg. RSA) and you must enter this code.
  • Software tokens: Apps that you download. A site that features this type of 2FA, sends a code to the app for you to enter to log in.
  • SMS: Here you receive a text message to your phone with a code to enter for access.
  • Push notifications: Another type of app authentication you download to your phone. When you enter your login details, a push notification is sent. A message appears on your phone asking you to confirm your login attempt.
  • Biometrics: This is verification by using something physical about yourself. The most common method is by using a fingerprint scanner.
  • Location: A method used by Facebook, this is where if an attempt to login to an account is made in an unknown / non-regular location it triggers an alert notifying an attempt was made on a new device / new location and you will normally receive a code to verify your identity if it is you.

Does everyone offer 2FA?

Not all sites use two-factor authentication, but some give you the option to activate it for your account. Some popular websites that offer 2FA include: Amazon, Facebook, Lastpass, LinkedIn, PayPal and Yahoo. But there are many more.

Is 2FA 100% secure?

Sadly no, no security measure is 100% guaranteed. It is a hacker’s ambition to beat the security measures in place to prevent them getting in, and they rise to the challenge until they win. 

There are also the concerns that users of 2FA can be complacent, thinking that by using 2FA means their password doesn’t need to be as complex. This is not the case, the more difficult to crack the password, the stronger the security.

The other concern is that the most common 2FA method, using SMS authentication, is that SMS is less secure than using an authentication app. 

But it is still important remember that 2FA is still an added step of inconvenience for the hacker. 

Is 2FA a pain to use?

Although many may regard 2FA as an added hassle, as technology improves, so 2FA becomes quicker and easier to implement. Verification codes generally take seconds to generate and deliver.

Protect Yourself – 2FA is important

90% of passwords can be cracked in less than six hours.

Despite no 100% guarantee, 2FA still makes it harder for identity theft and phishing via email to happen to you; cyber criminals need to gain more information than just your username and password. Use 2FA and let the hackers pass you over for the more convenient, lower-hanging fruit with the ‘123456’ / ‘password’ passwords!

Offering several types of security test, we can help you check how secure your web, network, IT infrastructure is and even run a campaign to check on employee / colleague cyber security awareness with a bespoke phishing test. 

Find out more