Two-factor authentication (or 2FA, as they say) may sound like yet another wonky thing that you’re supposed to care about, but who knows what it even means, or even why it is important… Ok, so plenty of you do know the answer to that (and its usage is increasing). But a lot of people are simply not there yet. And we all need to get there.
So here we go – let’s break it down.
First, let’s talk about logins and exactly what happens when you log into a system… There are actually two things that are happening:
- The first is that you are identifying yourself – that’s your username.
- The second part is you are providing authentication – the actual proof that you are who you just identified yourself as.
Authentication is traditionally accomplished through a password (something only you should know). But, here’s the problem with that: passwords can be stolen. And from what we know about identity theft and phishing attacks, passwords are stolen—a lot! 2FA is simply providing another “factor” — another step; another method — to authenticate your identity when you login. Having that second-factor makes it considerably more difficult for a bad actor to crack your accounts.
But what’s a factor?
Factors are:
- Something you know (a password)
- Something you have (a one-time token)
- Something you are/unique to you (a fingerprint or other biometric method)
Most likely you are already using a single-factor (password) for authentication – every day in many ways. The second-factor takes that one step further by requiring a complete separate data point that is NOT recorded or cached. That something you have might be a one-time token generated on your phone, or a passcode delivered to your phone via text message. When you are using two-factor authentication, not only does a bad actor need to steal your password, they probably need to have your phone too! A bad actor can steal your password from anywhere in the world over the internet, but getting at your phone? That’s a lot harder. And that’s why 2FA has such a huge benefit.
Case in point: the stats on phishing attacks are eye-popping!
- Phishing accounts for 90% of data breaches
- “Business Email Scams” accounted for over $12 billion in losses
- 76% of businesses reported being a victim of a phishing attack in the last year
- 30% of phishing messages get opened by targeted users
- 12% of those who opened phishing emails later opened the infected links or attachments.
Without 2FA you are one phishing attack from some bad actor making havoc of your accounts—fraud, destruction of data, identity theft, data ransom – you name it.
As an Information Security Professional, I sleep at night when my accounts (and my user’s accounts) are protected with 2FA.