At Stern Security, we have declared February 2nd (2/2/23) as Two-Factor Authentication Day! The date is 2/2 so naturally it’s the best day for this holiday. This is a day to spread awareness about 2-factor authentication which is one of the most important ways to protect your online accounts at home and at work. Using a password alone is not enough – you need two-factor authentication.
Forms of Two-Factor Authentication
Have you ever logged into a banking site on your computer by typing in your username and password and the site sends a text/SMS message to your phone to confirm your identity? That is two-factor authentication! It is using two different forms of authentication to confirm your identity.
There are three forms or “factors” of authentication:
- Something you know: Password, Passphrase, PIN, Secret Questions, etc…
- Something you have: Badge, Hard Token (ex. Yubikey), Phone, etc…
- Something you are: A physical trait such as a fingerprint, retinal scan, FaceID, etc…
Two-factor authentication uses two different factors to authenticate an individual. In our banking example, using the password was the first factor (something you KNOW), and the second factor was the text message to the phone (something you HAVE). This is much more secure than just the password alone because that can be stolen or guessed.
Are there other names for Two-Factor Authentication?
Two-Factor Authentication goes by many names and abbreviations. Some of the other names include: Multi-Factor Authentication (MFA), 2-Factor Authentication (2FA), and Two-Step Verification. Yes, there are some slight differences between Two-Step Verification and Two-Factor Authentication, but we’ll cover that in a separate article.
Why Do We Need Two-Factor Authentication?
A password alone will not protect your account. Your password could be guessed or intercepted. Additionally, companies get hacked frequently and some of your passwords are probably publicly available. Sites like Have I Been Pwned track compromised accounts in over 600 sites and allow you to look up if your account was in one of those known breaches. If a site is hacked, it may not matter if your password was strong if the site was not storing the password properly. However, many people do not choose passwords wisely and tend to pick passwords that are easy to remember like Password123!, P@ssw0rd, or Winter2022. In our penetration testing engagements, we often get into accounts because of these weak passwords. If you are only relying on a password to protect your account, you are putting your account at great risk.
What is NOT Two-Factor Authentication?
Sites that ask for a password and follow up with secret questions (ex. What is your dog’s name) are not using 2-factor authentication. Both password and secret questions are “Something you Know” so this is using one factor twice.
Where Should I Enable Two-Factor Authentication?
You should enable two-factor authentication on any account that supports it. This includes email (ex. Gmail, Outlook, Yahoo, Apple), social media accounts (ex. Twitter, LinkedIn, Facebook, Instagram), password managers (ex. 1Password, LastPass), gaming sites (ex. Epic, Blizzard) and banking sites. Most modern applications should support some form of two-factor authentication. To get an idea of many sites that support two-factor authentication, please look at the 2FA Directory.
Today, 2/2 is 2-factor authentication day so please ensure that you have 2-factor authentication enabled on all of your online accounts! Spread the word to your family, friends, and co-workers. As always, if you want to ensure your organization has all of the necessary security controls in place, including 2-factor authentication, you can use our Velocity application today. Happy 2FA Day!