2 Factor Authentication
An extra layer of Security
In today's world of increasing digital crime and internet fraud many people will be highly familiar with the importance of online security, logins, usernames and passwords but if you ask them the question "What is 2 Factor Authentication?" the likelihood is they will not know what it is or how it works, even though they may use it every single day.
With standard security procedures (especially online) only requiring a simple username and password it has become increasingly easy for criminals to gain access to a user's private data such as personal and financial details and then use that information to commit fraudulent acts, generally of a financial nature.
How does it work?
2 Factor Authentication, also known as 2FA, two step verification or TFA (as an acronym), is an extra layer of security that is known as "multi factor authentication" that requires not only a password and username but also something that only, that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token.
Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that person's personal data or identity.
Historically, 2 factor authentication is not a new concept but its use has become far more prevalent with the digital age we now live in. As recently as February 2011 Google announced two factor authentication, online for their users, followed by MSN and Yahoo.
Many people probably do not know this type of security process is called 2 Factor Authentication and likely do not even think about it when using hardware tokens, issued by their bank to use with their card and a Personal Identification Number when looking to complete Internet Banking transactions. Simply they are utilising the benefits of this type of multi factor Authentication. They are using "what they have" AND "what they know".
Using a 2 Factor Authentication process can help to lower the number of cases of identity theft on the Internet, as well as phishing via email, because the criminal would need more than just the your name and password details to hack into your account.
Many sites are using 2 factor authentication by utilising mobile phone SMS technology. Turning a phone into an authentication device quickly solves the need of the "something that the user possesses" as illustrated in the above graphic.
Mobile phone 2-factor authentication
This approach uses mobile devices such as mobile phones and smartphones to serve as "something that the user possesses". A one time code can be sent to their mobile device by SMS or via a special app called an authenticator. The advantage of this method is that there is no need for an additional, dedicated token, as users tend to carry their mobile devices around at all times anyway. Some professional 2 factor authentication solutions also ensure that there is always a valid passcode available for users. If the user has already used a sequence of digits (passcode), this is automatically deleted and the system sends a new code to the mobile device. And if the new code is not entered within a specified time limit, the system automatically replaces it. This ensures that no old, already used codes are left on mobile devices. For added security, it is possible to specify how many incorrect entries are permitted before the system blocks access.
Advantages of mobile phone 2 factor authentication:
- No additional tokens are necessary because it uses mobile devices that are (usually) carried all the time.
- As they are constantly changed, dynamically generated passcodes are safer to use than fixed (static) log-in information.
- Depending on the solution, passcodes that have been used are automatically replaced in order to ensure that a valid code is always available; acute transmission/reception problems do not therefore prevent logins.
- The option to specify a maximum permitted number of incorrect entries reduces the risk of attacks by unauthorized persons.
- It is easy to configure; user friendly.
Disadvantages of mobile phone 2 factor authentication:
- The mobile phone must be carried by the user, charged, and kept in range of a cellular network whenever authentication might be necessary. If the phone is unable to display messages, access is often impossible without backup plans.
- The user must share their personal mobile number with the provider, reducing personal privacy and potentially allowing spam.
- Text messages to mobile phones using SMS are insecure and can be intercepted. The token can thus be stolen and used by third parties.
- Text messages may not be delivered instantly, adding additional delays to the authentication process.
- Account recovery typically bypasses mobile phone two-factor authentication.
- Modern smart phones are used both for browsing email and for receiving SMS. Email is usually always logged in. So if the phone is lost or stolen, all accounts for which the email is the key can be hacked as the phone can receive the second factor. So smart phones combine the two factors into one factor.
- Mobile phones can be stolen, potentially allowing the thief to gain access into the user's accounts
- Malware can steal credentials from the phone 
What websites support two factor Authentication?
There is a website twofactorauth.org that has a comprehencive list of sites that support two factor authentication. I have loaded their site in an iFrame for convenience in looking up sites that you you may use. You can visit their site by clicking on the button below the following iFrame.
A special thanks to Josh Davis for letting me Embed his site and have access to his code.
ConclusioN: Use a Password Manager and turn on 2 Factor when POSSIBLE
In this day and age there is no reason for anyone not to take password management seriously. We all have passwords to email accounts, bank accounts, and utilities. Not to mention social media accounts. To follow safe password practices it would be impossible to keep track of all the passwords and accounts that you have. By using a password manager it takes the stress out of passwords and lets you keep yourself protected. Once you get a password manager in place and change all your passwords to be unique and strong. The next step is to get 2 factor authentication set up on all your accounts that have it as an option. It adds one more layer of security to make sure you will not be the reason that a hacker gets into a system or account. I have not talked much about running an authenticator app on your phone. This will allow you to have time sensitive one time passwords available in the app to access your accounts. This is the option I use with my social media and mail accounts. I only use the SMS as a back up. I have not had any problems as I implemented the password rules and 2 Factor implementation on my accounts. The only time it ever feels taxing is when you need to login from a computer that dose not have my 1Password password manger set up, but I can count the times that this has happened on one hand. Even in that situation all I needed to do was look up the password I needed on my iPhone in the 1Password app. It will take you a few hours to set up your password management app and get all your passwords changed to strong unique passwords, but once you have that in place you will rest much better knowing that your data and identity is safe in all ways you have control of ....