Search
  • OSG

Two-Factor Authentication



Or 'Multi-Factor Authentication' (2FA / MFA). That's the only terminology you'll need for this one as it really is quite simple. Firstly, let's start by saying 2FA and MFA is essentially the same thing. However, MFA (Multi) gives the impression that more than '2' can be used. Generally speaking though, 2 is enough.


Now, what is it exactly? Like stated, it really is quite simple. Two keys for one lock. If you've ever seen a movie involving a bank's safety deposit boxes, you'll know that 2 keys are needed to open it. These keys are kept in different locations. Same idea.


You'll also probably be aware of what 2FA looks like. Effectively, you enter your password to a site (let's take Google for example) and then an alert hits your phone to ask if it really is you. This could be via a SMS or an Authentication App etc. You'll be asked to enter the code that appear on the alert and you're in. Pretty straightforward. Of the survey we conducted of 100 people though, only 43 of them use 2FA. 55 people knew what it was without explanation. 16 people said it was too much hassle, and 12 people said they don't believe it works. But a little demonstration to the simplicity of it, we quickly changed their minds.


So why use it in the first place? Well, if you have read our other articles, you'll know that a simple username and password combination is no longer at the level of security required for some people to feel secure. Thus, another layer has been added. That's not to say that 2FA can't be hacked - but to relay the message from other articles - if we make it tough for the criminals, they'll most likely move on.


METHODS OF 2FA

To keep this short, we're only going to talk about the main ones. First up, SMS.


As it suggest, this method involves a text message being sent to your phone with a code to enter into your computer once prompted. It really is that easy. My only issue with this method is signal - dependant on where you are, that text message may take a little while to come through. Not that it's a major problem, but it has posed a couple of problems personally in the past.


Authenticator App

So these apps work in the exact same way as the SMS does by offering a code to enter. However, you can see the code changing in real time. The codes only have a shelf life of around 20-30 seconds, which is plenty of time to enter it, but secure enough to stay safe from hackers. As opposed to the SMS method, which can stay active for 5 minutes plus, making the app more secure in our opinion. Another benefit of this method is having multiple sites/applications in one place. For example, on my app, I have codes ready for 13 different sites - including emails, password managers, online shopping sites. This doesn't improve security, but it does improve convenience :)


There are certainly no shortages of these on the App Store and Google Play Store, but having tested quite a lot of them out, we give the crown to Microsoft Authenticator. It's not to say that any other app is less secure or more complicated to use etc. But this app gives a countdown before changing the code. There's also a handy 'copy and paste' function added to it. We're not saying not to use any other app, this is just the one we like. Check some of them out.


Authenticator Key

Somewhat of a lesser-known method, but by far the most secure. This takes the idea of an extra 'key to the lock' literally, but using an actual key. To talk you through the process - signing into a site involves entering a username and password, and then a prompt appearing for a code. Instead of entering a code from an app or a SMS, a USB key is inserted into the computer and a button is pressed. That's it. To gain access to your account, one would need the physical key, which proves difficult for hackers, as they generally live quite far away. There are a couple of companies that build these, one to note is Yubico. It's worth noting that Yubico keys have never been the victim of a hack. The security level on this method is so high that Google issued all of their employees with their version of it for company use.


One last thing to mention about 2FA. It takes all of 30 seconds to set up. Really, you have no reason not to use it. Security is high, convenience is high, excuses are low and costs are non-existent. Do yourself a favour and set it up.