If you’re operating at all in the digital space — as a consumer or as a business — you should be concerned about password security — and obviously, you should make it a habit to practice good password hygiene.
But is that enough — and how can two-factor authentication help?
Just ask the CEO of Colonial Pipeline, whose company suffered a $4.4 million ransomware attack that cut off the fuel supply to the East Coast and set off panic buying last month. The attack was made possible in part because the company did not use multi-factor authentication.
It’s not easy to keep a password safe. User-created passwords are generally weak or repeated across multiple accounts; about 90% of passwords can be cracked in less than six hours. Two-factor authentication adds a second layer of protection to your password, so if someone gets your password, they still have another hoop to jump through.
Here’s how it typically works: For starters, you enter your credentials — typically a username or email address and password. The service then automatically sends a request for another piece of information to confirm your identity before granting you access. If you’ve ever used a debit card at the ATM or paid for gas with a credit card at the pump, you’ve used 2FA by providing one form of account access (a card) along with another (your PIN or ZIP code).
Two-factor authentication (2FA) basically consists of two of these three categories:
- Something you know. This is some sort of knowledge and can include things like a PIN, answers to a security question or a password.
- Something you have. This is a physical object and can include things like an ID card, a phone authentication app, an SMS code sent to your phone or a security token.
- Something you are. This is biometric data and can include something like a fingerprint, face or retina eye scanner.
The key to 2FA is that the two factors must be from different categories. You can’t have two factors from the same category.
Need help visualizing this? Remember that one scene in The Incredibles when costume designer Edna Mode takes Helen AKA Elastigirl into her testing room to show her the family super suits? That’s a perfect example of two-factor authentication in action. She enters a passcode (something you know) and does a hand scan, a retina eye scanner and a voice-over (something you are).
Although 2FA isn’t 100% foolproof — as nothing in cybersecurity is — it’s much better than only having a password.
Think of protecting your home from burglars — you can have a loud, scary dog to keep robbers out or you can have a home security system to keep them out. But, if you combine both the loud, scary dog and the home security system, that adds a lot more protection to your home.
Two-factor authentication is a lot like that. The point is to make you a less attractive target for hackers because they rarely target specific people — they find people who are easy to hack, those with weaker security. If their target is harder to crack, they’ll just move on to the next one.