What is two-factor verification?

Passwords aren't secure; it's time to add multi-factor verification


Thanks to the rise of sophisticated hacking, clandestine malware, and clever social engineering techniques, simple username and password protection is no longer enough to keep your online accounts safe from saboteurs and cyber thieves.

If someone with less than noble intentions gets hold of your username and password, they can easily access any account you use with those credentials, potentially accessing sensitive business data or running up massive bills with compromised online shopping accounts.

To combat this, you need to add an extra step to the security chain. Enter two-factor authentication.

Also known as multi-factor authentication or two-step verification, two-factor authentication is a fairly straightforward process of confirming your identity twice before access is granted to an account or service.

Broadly speaking, authentication falls into three categories; knowledge factors, which involve something a person knows such as a password; possession factors, which link to something a person has, like a security token or ID card; and inherent factors, whereby authentication is matched to a person's unique attributes such as a fingerprint or biometric scan.

Two or multi-factor authentication uses two or more of these authentication areas to verify a person more securely than a simple password can.

In all cases, two-factor authentication involves a secondary device, be it a dedicated hardware security token or software on a smartphone, to provide legitimate users with information only they would be expected to have access to.

Two-factor authentication can be used to secure a range of services, from access to Google and Microsoft Office accounts, to confirming online purchases, accessing content management systems and verifying mobile phone accounts.

When logging into a service or web portal with two-factor authentication users will be prompted to put in their username and password. Once they submit those a secondary process kicks-off, either through a first or third-party extension, such as Google Authenticator and Duo security.

This will involve prompting a user to input a piece of information or carry out an action on a device, be it a unique PIN or a random number generated by a security app, such as those found in mobile banking apps, or tapping a button in a software tool linked to the account.

Such authentication comes in a myriad of options, ranging from basic codes being sent by SMS to mobile phones, through to dedicated hardware security tokens that generate a random number that needs to be typed into an authentication box during a login process; the latter is commonly found in online banking and payment authorisation.

Once that unique number is entered or another interaction is performed, then you're granted access to your account, with the extra layer of authentication hopefully weeding out any attempts at illegitimate access.

However, it is worth noting that multi-factor authentication is not 100% secure.

Authentication via text message is vulnerable to interception and spoofing by hackers, particularly if they can hijack an account that supports a person's mobile number.

Various account-recovery processes for lost passwords can be harnessed by hackers to work around two-factor authentication as well.

And sophisticated malware that has infected computers and mobile devices can redirect authentication messages and prompts to a device belonging to a hacker, rather than the legitimate account holder, thereby working within but also around two-factor authentication.

The most secure methods of two-factor authentication use dedicated hardware tokens, which are difficult for hackers to spoof unless they steal one directly from someone. On the flip side, two-factor authentication reliant on SMS is probably best avoided if you are running an enterprise with a treasure trove of data.

While two-factor authentication may not be quite the security silver bullet it was once expected to be, it's still an important area of security and access control to keep in mind when procuring and setting up services for your business or personal life, because the more hurdles you can put in the hackers way, the less likely they are to target you.