If you’ve ever owned a safety deposit box at a bank—or seen one on TV or in a movie—then you know that it requires two keys to open it. If you recall the beginning of the movie War Games it required two separate keys turned simultaneously to initiate a nuclear missile launch. In both cases the reason is the same: the second key adds an extra layer of protection.
The same thing is true when it comes to authenticating with a computer, website, or application. Requiring a second method of authentication helps to ensure that an attacker cannot successfully impersonate you or compromise your identity even if he manages to acquire one of your authentication methods.
Understanding two-factor authentication
Authentication comes down to one of three things: something you have, something you know, or something you are. A password is something you know. A physical key would be something you have. Biometric authentication like a fingerprint or retina scan is something you are. Two-factor authentication means using two of the three available authentication methods to add an extra layer of protection.
Two-factor authentication is a little different from the scenarios described above. For starters both examples involve two separate keys turned by two separate people. There are two factors involved because there are two keys, but it’s really just the same factor twice. When we talk about two-factor authentication for IT we don’t mean having two separate passwords, or two people who both have to enter a password—although that would provide some additional security. Two-factor authentication refers to using two completely different forms of authentication like a physical key and a password, or a password and a fingerprint scan.
The other way these scenarios differ is that there are additional authentication measures involved prior to the point of turning the keys. A bank would also verify an individual’s identity using a driver’s license or some other form of identification to make sure the safety deposit box key wasn’t stolen or simply picked up off the ground. Prior to the point of turning the keys in the missile silo the soldiers would have had to validate their identities just to get on the base, and most likely went through additional security and authentication processes before being allowed into the missile silo at all.
Two is better than one
The front door on most homes has two locks—a standard lock and a deadbolt. Your car has brakes and a backup emergency brake. If you get in an accident there’s a seatbelt and an airbag. Are you detecting a theme? Two is better than one. It provides more security and better protection.
It may seem like a username and a password are two different things and that requiring both constitutes two-factor authentication. However, that assumption is false for two reasons. First, they’re both the same type of authentication—they’re both something you know. Second, the username is trivial to learn or guess, which really only leaves the password as a defense against compromise.
A password alone is not enough. Passwords are generally easy to guess or crack and hundreds of millions of passwords are leaked or compromised in data breaches every year. You need an additional layer of protection.
Some computers and mobile devices have fingerprint scanners or facial recognition features. Many sites and services have controls in place to text a code to your smartphone as an additional authentication method. Wherever possible you should enable two-factor authentication. It won’t guarantee your accounts or data won’t be compromised, but it will make it significantly harder and attackers prefer to pursue easy targets.
Two-factor or multi-factor authentication is particularly important in the enterprise—both for access to endpoint systems and live data in real-time as well as for backups. It doesn’t do much good to have tight security on live data but leave backed up data exposed to trivial attacks.