2FA–When a Password Is Not Enough

Two Factor Authentication, also known as 2FA or TFA, is becoming an attractive, and more available option to using just a user name and password combination as your only online security.  Here’s why.

Typical security systems rely on some subset of the authentication triad:  something you know, something you have, or something you are.  Simple security methods rely on having one of the three.  This is the problem with simple security – an attacker simply needs to acquire the one bit of information or device, and they are in.  Two factor authentication requires that a person possess two of the three, and this makes it harder for an intruder to successfully acquire both.

Passwords or pass phrases fall under the “something you know” category.  So does the answer to your “secret question.”  Or the combination to a lock or a safe. 

A good example of “something you have” would be a a house key.  On the network, this might be a RSA key, or an access code text messaged to your cell phone.

Something you are usually involves some sort of biometrics; a fingerprint, a retinal scan, an iris pattern, or facial recognition.

The problem with using passwords only is they are easily compromised through direct observation (shoulder-surfing or key logging), through deception (phishing or social engineering), or through automated password cracking.  A password with fewer than 10 characters has an encrypted hash that can be broken with software exploits in less than a day in many cases.  Longer passwords make this less of an issue.  The other problem is the human propensity to reuse the same password on multiple sites.  If your password is cracked once, it is cracked everywhere.

An example of two factor authentication would be a home that has deadbolt locks (something I have – a key) and a security system (something I know – the security code).  Typical network or online 2FA options usually require a password, and a security code provided by a secure token or by text message.

There are a few online service providers that offer 2FA, and they are social networks Facebook, LinkedIn, and Twitter, and email service providers Gmail and Outlook.com.  If you use these online services, you might want to set up the 2FA features that are available.  In you are doing your banking or other finance services online, ask them if they can provide 2FA.

I suppose if the security situation continues in the direction it is going currently, we will be writing about the advantages of three factor authentication!

To read more on this subject, you might want to check out this article on Sophos.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.