All you need to know about two-factor authentication. Even its weak spots

Wed Jul 31 2019 - 5 min read

Looking for ways to protect your online accounts? Aside from using a strong password, HTTPS connections, and end-to-end encryption, you should also embrace two-factor authentication (2FA).

Two-factor authentication was introduced by AT&T in 1998. The company patented an “automated method for alerting a customer than a transaction is being initiated and for authorizing the transaction based on a confirmation/approval by the customer thereto.”

If you are new to these terms, continue reading as with this article we will cover the essential information, including the weak spots.

What do 2FA and MFA mean?

Two-factor authentication (2FA) is verification process where you need to take two steps to access sensitive information. Multi-factor authentication (MFA) is a more complex process that uses more than two factors to verify the authenticity of a login.

Nowadays, 2FA is more common and recommended for all online accounts to cut the risk of unauthorized access. There is even a dedicated website that lists all services that use 2FA and provides detailed information on available authentication methods.

What is a factor?

A factor is simply a type of authentication, and below, we listed the most common ones.

Something you know

It is the most common authentication factor that we use daily. It requires you to enter credentials to access your account, and the best example of this factor would be the username and password.

Something you have

This factor requires you to provide an email account, phone, or another way to send a verification code. Some of the most common authentication forms are:

  • SMS code. It’s a unique, one-time code consisting of six numbers that get texted to your phone.

  • Authentication applications. This works very similarly to the SMS code. The app generates a one-time code consisting of six digits, but instead of sending a text message, you get this code from the app. You can use one of the many authentication apps such as Google authenticator that are available to download on your phone.

  • A hardware token. It’s a device, such as YubiKey, that generates an encrypted one-time passcode. Usually, it comes as a string of six numbers that you use the same way as a text message or numeric code generated via authentication apps. The added benefit of the hardware token is that it comes as a separate device you carry along with you.

Something you are

It uses your biometrics such as fingerprint, voice recognition, or retina scans for login verification. It's difficult to replicate and bypass this factor as it's based on unique biological identifiers. And this is one of the key reasons why biometrics are growing popularity as an authentication factor.

Somewhere you have

This factor is related to your location and usually detected based on your Internet Protocol (IP) address. Some companies collect your geolocation information and flag any attempts to log in from random locations. For example, you live in the US, but someone has tried to log in to your account from China. In this case, the service will notify you about the login attempt and may ask to verify a new location. This authentication factor helps to identify unauthorized access in early stages.

Why should you use two-factor authentication?

The core reason for using 2FA or MFA is the added layer of security. It doesn’t mean that by adding 2FA to your account, you reduce all the risks for hacking it. However, it becomes less of a target for hackers.

That’s because a hacker would need to disable not only your password but your 2FA as well. They would need to use a phishing attack, malware, or try to activate your account recovery. Next, they would need to reset your password, and only then they could try to disable your 2FA. And that's extra work that they are generally not keen to do for individual accounts.

Is 2FA as secure as it seems?

Despite the best intentions to protect online accounts, hackers are getting more creative and looking for new ways to bypass the 2FA. And all the methods are safe until the first successful attempt. SMS-based authentication is the first one to be known vulnerable. This is why back in 2016, the National Institute of Standards and Technology (NIST) now part of the US Department of Commerce, banned SMS for 2FA. The rise of abuses like SMS phishing (or smishing) and phone porting, which cause victims to lose control over their phone numbers, are primarily to blame. However, it’s still more secure than not to use it at all. And if there are no other alternatives, it’s best to enable it.

How can you improve your online account security?

  • Passwords are your front line for online account security. They are your font line for online account security. So do all you can to make them strong. Check your password strength and make sure they haven’t been exposed before. If needed, replace them with secure passwords that you can generate with our online password generator.

  • Make sure you store your passwords securely. Sticky notes or Excel files on your computer are not the methods we recommend for password safekeeping.

  • Enable 2FA on all your online accounts that support it. Usually, you need to go to the account settings and look for any 2FA options under Security.

  • And stay vigilant. Hackers continuously explore and employ new hacking tactics that are much more sophisticated than ever before.

Benjamin Scott
Verified author
Ben is our tech geek. He analyses difficult topics and brings them to the reader in a nice and simple language. In his free time, he loves to compete, so he likes to participate in various marathons and triathlons.
Subscribe to NordPass news