Wednesday What-Is - 03 - Two-Factor Authentication

 

 Two-Factor Authentication

Welcome back to the Wednesday What-Is, a (hopefully) once-weekly blog post where I break down cyber security concepts so that (hopefully) anyone can understand them.

This week's topic is two-factor authentication (2FA).

To start with, here's a quick dictionary definition:

Two-Factor Authentication

: an authentication process that requires... ...a user to prove their identity in two different ways before granting them access.

(Definition provided by CloudFlare)

Before continuing, authentication on its own is a way of verifying your identity with online services. It's the ways in which you confirm to these services that you are you, and you are the one accessing your user experience of those services.

Now, you have likely come across one-factor authentication before (AKA single factor authentication). The prime example of this is your standard password authentication, you authenticate the email you are using with a password that you have chosen- the idea is that only you should know your password, therefore you are the one using your account when you authenticate with it.

The password is one factor of authentication, and when used on its own to verify identity- that's one-factor authentication.

Two-factor authentication is where an additional form of verification is used to prove that you are who you claim to be, on top of one other. Most often, this will be a password and then something else too.

Other factors used in authentication include phones, one-time-passwords, and tokens. The most common type of two-factor authentication will require a phone (number).

In the case of a phone being used as another factor of authentication, once your password authentication is successful, the service will send a text or some other notification to your phone with a corresponding code, key or password. You then report the code back to the service to basically say 'yep this is me, I have the code you sent to my phone', and hey-presto, you're authenticated.

The main idea behind this is that only you are likely to have access to your phone while logging in to something, so it stands to reason that the person inputting a code from your phone is probably going to be you! In a broader sense two, or multi-factor authentication is about services needing more certain proof that you are who you say you are when logging in- if you can prove in more than one way that 'you' are actually you, then it is safer to assume that that is the case.

While tedious for some, it is designed with your security and safety in mind, and most importantly it makes it much more difficult for cyber criminals to get in to your online accounts! To do that now would require them to have access to all factors you use to verify yourself, instead of just the one.

My advice would be to enable two-factor authentication where you possibly can, it may just keep your account safe!

Thanks for reading this week's Wednesday What-Is!

Wow three weeks on the trot, glad to be here!

I am home from university this week to get some much needed focus time at home for my studies, I figured I might just as well use a little free time to blast out another post. I also finished a report today, go me! I wish any readers who are also thoroughly in the middle of any 'critical education periods' the best of luck with their studies.

- Ollie -