The Internet has always been a place where you have to be careful about how and with whom you share your personal information. But as we live more of our lives online and more of the services we depend on are web-based, the need to stay safe with our critical personal data has increased dramatically.
It may be tempting to think that increasing the strength of our passwords would be sufficient shield against online abuse, but data breaches steal millions of passwords each month. At this point, it’s safe to assume that at least one of your online accounts has been compromised.
As passwords are how websites verify your identity and passwords are becoming increasingly unreliable, online services are starting to offer another layer of security for accessing your accounts: multi-factor authentication.
What is multi-factor authentication?
Multi-factor authentication is when a service requires more than one proof of identity to access. It’s like withdrawing money with your debit card. Having a card is not enough. You must also have a four-digit personal identification number to access your cash. This extra layer of authentication prevents potential pickpockets from emptying your bank account after snatching your wallet.
Likewise, using multi-factor authentication (most websites use two-factor authentication) on your Apple account will prevent password thieves from getting into your iCloud account.
Multi-factor authentication is a common method of preventing fraud in the real world and often involves having multiple forms of identity. If you applied for a passport, you were required to provide documents to confirm that it was actually you. Most credit card purchases require you to provide an ID that matches the name on the card. In the past years (before the PIN system was introduced), businesses checked to see if the signature on your card matched the signature you put on the receipt. In the digital world, it can be just as important to make sure no one gets your identity, but the methods used to achieve this are a little different.
How does digital two-factor authentication work?
Digital 2FA operates based on the same principles that apply in the real world, using the same authentication methods. In general, MFA is based on a combination of one or more of the following factors: something you are, something you know, or something you have. Verifying this information acts as your digital security key to prevent unauthorized access to your accounts.
something you are
It is becoming common for services (and devices) to use biometric information to authenticate a user. Most Android and iOS phones come with fingerprint readers, and app developers quickly take advantage of this to increase their account security. Facial recognition is also becoming more and more popular (especially on iPhones). For the highest level of security systems, governments and industry use retina as the ultimate in biometric security.
something you know
Information factors are one of the first authentication factors most internet users encounter when setting themselves up online. You probably have several passwords floating around in your head for different websites. Likewise, when you signed up for these websites, you probably had to identify and answer safety questions such as which street you grew up on, the name of your first pet, and the city your parents met in.
something you have
Many physical and digital authentication systems rely on a physical object or factor of ownership to provide security. It is not enough to know your social security number and vital details when obtaining a passport. You must have physical documentation. Many businesses give their employees USB key fobs to provide a higher level of security.
What does 2FA look like?
Early applications of MFA included a knowledge factor and an ownership factor. If you wanted to work remotely in the 1990s or early 2000s, in addition to your login credentials, you would also need purpose-built hardware called a security token (usually a keychain like RSA SecurID). These devices generated a verification code called a one-time password that would allow you to access your account.
One-time passwords
One-time passwords are a common type of two-factor authentication used by consumers. The OTPs most of us encounter in our daily lives are no longer produced by keychains. Instead, they are created by Amazon, eBay and PayPal and are sent to our devices via SMS or email; they act as ownership factors rather than security tokens.
One problem with SMS and email-based authentication is that they are vulnerable to hackers. Hackers can get hold of your phone number, allowing them to receive your SMS messages by convincing your carrier to take control of your numbers to their SIM card. Likewise, if your email account has been compromised through keylogging or phishing, hackers can block all OTPs sent to your Gmail.
To circumvent this risk, more people are turning to application-based authentication solutions. When your bank or Amazon generates an OTP, it cryptographically consolidates a secret source value (associated only with your account) over time. authy, duo and Google Authenticator It works by accessing your seed value from your web service provider and using the same encryption algorithm to generate an OTP. As long as you have access to your device, no one can block your OTP. One of the best 2FA application options Check out what we think are some of them.
push notifications
One-time passwords are the biggest fish in the pond when it comes to consumer MFA, but there are other options. Over the past five years, Google and Apple have used mobile device push notifications, which eliminates the need for third-party apps and text messages. You do need a smartphone with an internet connection, however, so freaks who cling to their flip phones won’t be able to take advantage of this form of 2FA.
Hardware tokens
Many organizations and governments use hardware tokens in their MFA implementations to bypass the cybersecurity issues inherent in these methods. Tokens can take many forms, but have a cryptographically unique identifier that can be authenticated no matter what service is accessed.
You probably currently have a hardware token in your wallet in the form of a smart debit card. Smart cards can be a good choice as tokens as they are inexpensive to make and easy to carry. The downside is that you traditionally require specialized hardware to access built-in functionality. However, this problem is alleviated with contactless smart cards.
Most consumer grade hardware tokens take the form of a USB drive that needs to be plugged into your computer or mobile phone. These tokens (YubiKey is the most popular lately) are easy to get from Amazon or manufacturers and work everywhere from Amazon and GitHub to Microsoft and YouTube.
The future of hardware tokens is likely wireless. Industry group FIDO, which sets open standards for Internet authentication, is pushing to use your phone as the second factor in a two-step verification process. Instead of receiving a password via SMS, an encryption key is stored on your phone, which it then communicates via Bluetooth to authenticate itself.
There’s no easy answer to online security
Before the rise of e-commerce, it wasn’t all that important to get your online accounts hacked. Today, that’s a different story. If you use the same username and password for every site, you only need to make a data breach on a forum you’ve been a member of for 10 years to expose yourself to identity theft.
Password breaches are inevitable and how you protect yourself is a personal decision. Whether you choose a password manager, SMS-based two-step verification, or a USB security token, it’s always better to go about your business as if someone isn’t trying to steal your data.
The best answer is the one that is most user-friendly for you and includes your online lifestyle. If your livelihood is tied to your YouTube or Twitch channel, it’s probably a good idea to invest in a hardware token to use more than standard OTP-based 2FA and lock your accounts. On the other hand, if you’re not buying anything online and the most sensitive pieces of information you have online are the ones you like on Instagram, you’re probably fine without 2FA for now.