Keeping on the same train of thought as our last blog post about PASSWORD POLICIES; we will be talking today about two-factor authentication (2F / 2Factor), what it is and why it’s important.
The short version explanation of two-factor authentication is the use of a secondary external method of authentication as an added layer of security when accessing sensitive information. Throughout the past decade, the usage and reliance on 2FA has increased dramatically as cyber-attacks are becoming more complex and harder to protect against. Two-Factor authentication is an easy and effective way to essentially double the protection against attackers.
But what exactly is two-factor authentication and how does it work?
Two-factor authentication is when a software/service requires two separate forms of authentication before allowing access to a piece of sensitive information. This can be anything as long as both methods are secure and unable to manipulate/control the other.
For example, when accessing your Office 365 account it would require your password (stored in your Memory / Computer) as well as an authentication code from an app on your phone (stored on Phone).
This means that if an attacker wants to access your account they would require both your phone as well as access to your password. There are lots of different versions of this concept, but they all revolve around the same principle of two isolated forms of authentication. The isolation is important because if one of the authentication methods can control the other then it is the same as having a singular authentication method. Consider the above example;
If the mobile phone also had the users Office 365 password stored on it then the entire system becomes insecure. If that mobile phone is stolen the attacker now has access to the password and the secondary authentication method. This is why it is so important to keep your two-factor authentication methods separate.
But why does it matter?
Well over the past decade or so technology has advanced at an incredible rate. What was once secure is now considered ‘child’s play’ to compromise in the modern age of technology.
Take the example of an 8-character password matching Microsoft’s password requirements;
By today’s standards, it would take 36.99 minutes to crack without password retry timeout policies.
That isn’t very long for a dedicated attacker – but with two-factor authentication, it wouldn’t matter because they don’t have access to the secondary form of authentication.
When should you be using two-factor authentication?
The short answer is anywhere that contains data you want to protect. The negatives of two-factor are that it increases the time taken to login to secured services/areas; so if it’s a service that contains information that you are willing to lose you could choose to not use two-factor. However, given the effectiveness of 2-factors ability to protect your information I’d say the benefits outweigh the negatives and you should use it wherever possible.
In summary, two-factor is the use of two separate authentication methods to protect data access to a secure service/software. It effectively doubles the security of the service being protected by adding an external layer that would need to be compromised if an attacker wanted to steal your data and lastly, you should use two-factor authentication wherever you can that stores information you want to protect.