Passwords are a real problem these days. We’re required to create so many of them that most of us re-use our memorable favourites, and lengthy and complex pass strings, however desirable, are very much in the minority.
Two-factor authentication (2FA) uses a combination of something you know (your password or PIN) and something you have (a hardware token) to add another security layer into the authentication process. Unfortunately, ‘true’ 2FA costs rather a lot of money to both implement the system itself and to distribute those hardware devices to every user. This is especially true when you are talking about free online services such as Facebook, Twitter, Gmail or Dropbox, which have millions of users.
A better name for this security feature is two-step authentication (2SA). Today, two-factor authentication and two-step authentication are used almost interchangeably when talking about securing online accounts, and the name differs depending on what service you’re talking about. At its most simple, they effectively mean the same thing and both refer to adding an extra layer of security to your online world.
With two-factor authentication enabled, you log in to your account by entering your username and password as normal. The site will then prompt you to enter a code that is either emailed to you or sent to your phone by text message. This one-time code, or one-time password (OTP), is only valid for a limited time, usually no more than five minutes, and can only be accessed by someone with access to the email address or phone.
Anything that adds a second layer of identity verification is to be welcomed with open armsAnything that adds a second layer of identity verification is to be welcomed with open arms
Although such 2FA-by-SMS systems have their weaknesses, they undoubtedly add additional strength to the login process.
Generally speaking, the reason people give for not making use of optional two-factor authentication systems is the same reason others dilute its effectiveness once activated: the annoyance factor. We’re in a want-it-now society, and nowhere is that lack of patience more apparent than online, where web developers will happily recount tales of research into the short attention span of users.
This is reflected in those who would rather sacrifice security than wait mere seconds to receive a one-time password on their smartphone to type into an authentication box. Indeed, with most two-factor authentication implementations allowing some degree of user configurability, it’s also reflected in people who would rather opt to ‘ask me for a code every 30 days’ than ‘ask me for a code every time I login’.
How to switch on two-factor authentication
The method for enabling two-factor authentication depends on the site you’re trying to secure. Over the coming months we’ll be producing guides for some of the most popular sites that offer the security tool.