Question from Mary: I’ve been reading your blog for a while and several of your posts recommend using something called Two-Factor Authentication.
How exactly does that work? I’m confused.
And is it really something I need to use?
Rick’s answer: That’s a great question, Mary. I’m glad you asked it because I’m sure there are plenty of other folks who are interested in the answer as well.
Two-Factor Authentication (sometimes referred to as Two-Step Authentication) simply adds a very secure second authentication step to the login process for any online account that supports it.
Virtually all banks and other financial institutions that do business online now offer it as an option in their account settings, and it wouldn’t surprise me a bit if it actually becomes mandatory in the somewhat near future. It really is a great security feature.
The traditional method of logging into an online account requires you to verify your identity by proving that you know something that (hopefully) is only known by you. Of course that piece of information is a password.
If you can provide the password for an account the website assumes that it’s really you who’s trying to log in and grants you access to the account.
The problem with passwords is anyone who manages to either steal it or guess it can log in to your account. After all, a password is nothing more than a piece of information, and anyone who can supply it will be allowed to login in to your account.
Hackers and scammers are quite good these days at both guessing passwords using brute-force password guessing tools and tricking folks into simply handing them over via phishing scams. That means relying on passwords alone to prove an account owner’s identity is no longer a very secure way of doing it.
Two-Factor Authentication works by requiring two things before granting access to your account:
1 – Something that only you should know (your password)
2 – Something that only you should have in your possession (your mobile phone)
Of course your password works the same way it always has. You simply type it into the form when you’re prompted to do so.
Proving that you have physical possession of your phone (which only you should have) is accomplished in one of two ways:
1 – The website sends a text message or places an automated voice call to your mobile phone number. That message or voice call contains a numeric code that changes every time you try to log in to your account.
After you receive the text message or phone call you enter the code contained within that message into the proper field on the login screen. If the code you enter matches the code they sent to your phone, you’re allowed to log into the account.
If you fail to enter the correct code you’ll be blocked from logging into the account, even if you entered the right password!
2 – Some websites allow you to choose between the text message/voice call method of receiving the one time security code and using an “Authenticator” app on your phone.
One of the most popular Authenticator apps is provided by Google. As you might imagine Google’s app is called Google Authenticator.
Although Google is the company behind this particular app, many other companies use it with their Two-Step Authentication procedures as well. In fact, I have accounts with several different companies that I log in to using Google Authenticator.
Anyway, if you choose to use an authenticator app instead of receiving text messages or voice calls you simply open the app and retrieve the one-time authentication security code from there.
Important: Any time you’re given a choice I recommend that you choose to receive your authentication codes via an authenticator app because the apps are generally a lot more secure than SMS text messages.
Bottom line: Enabling Two-Factor Authentication on your accounts will add an extremely secure second form of identification that you must provide in order to gain access to a given account.
Once it has been enabled, anyone (even you) who doesn’t have physical possession of your mobile phone will not be allowed to log in to your account, even if they know the password.
No phone, no logging in. No exceptions.
Yes, that does add an extra “hoop” that you must jump through in order to successfully log into any account that Two-Step Authentication is enabled on, but with all the hacking and identity theft going on these days that minor inconvenience is well worth it in my opinion.
Luckily, most websites that support Two-Factor Authentication give you the option to exempt your own device(s) from requiring the Two-Step authentication code on subsequent visits.
In other words, you enter the code from the text message, voice call or authenticator app the first time you log in but you won’t be required to enter it again when you log in from that same device in the future.
Mary, now you know how Two-Factor Authentication works, I hope you’ll take the time to enable it on all of your online accounts.