2FA: what is it and why would you use it?

If you do some research in online security, changes are the term 2FA will pop up. Although the term is unknown to many people, it is likely that they encounter this technique on a daily basis. For instance when they use online banking or when working on a corporate network. This article will tell you what 2FA is, how it works and which gains it provides you.

Two time’s a charm

The abbreviation 2FA stands for “two-factor authentication”. 2FA is a security system that asks the user more than just a single username and password. Using 2FA truly gives you a second layer of security to control the identity of the person trying to get access. Unauthorized people who are only in the possession of the first factor (usually the username and password) will not get access to personal data.

A good example of 2FA is found in online banking: in order to carry out a transaction, you need a TAN-code (Transaction Authentication Number) that you receive by SMS. In itself this code is useless, but it conforms that the person taking the action is in the possession of the mobile phone that is connected to this account. This system makes it very likely that the person initiating the transaction has the correct identity.

Just a password

Why wouldn’t you solely trust on a password? To many users this seems a simple, swift and safe method. However, as it turns out, it is not easy to create and manage a strong password. Passwords are vulnerable to threats, both from within (the colleague who keeps his login details on a post-it on his desk) as well as from the outside (hackers). Sure, a password can be part of a solid defence system, but a system that uses more than just one factor is many times safer.

Different types of 2FA

Authentication can occur based on different factors. These factors can be divided into three categories:

  1. Something the user knows. For instance a password, PIN or other information that the user has previously shared with the system.
  2. Something the user has. Think of a mobile phone or an access card.
  3. Something the user is. He or she can be recognized based on a fingerprint, their voice or their face.

We use the term 2FA if a system combines factors from two different categories, for instance something the user knows with something the user is. A system that demands three different factors of authentication is also a possibility. Each extra factor ensures more certainty about the identity of the user.

Different types in practice

There are systems that ask for 2 sets of passwords, for example when you want to login to an account and subsequently want to open a file. Although we are talking about two different passwords, this is strictly speaking not 2FA but SFA (single-factor authentication) because only one type of factor is being used. People tend to choose this type of authentication in many cases because of the user experience. The biggest disadvantage here is that passwords can be shared with other people, so by using only the first category other people can still gain access to your account, files or other information that should be protected.

Two-factor-authentication asks the user to take one more step, but results in a more safer situation.  We do not see the ‘real deal’ so often in practice, because many users are not used to taking this extra step. Authentication based on biometrics (what the user is) is only being used by big companies and government institutions. Employees at Schiphol Airport for instance need both a password and a successful iris scan to get behind customs. Fingerprints (or in the case of the new iPhone: facial recognition) used as SFA to unlock devices, is getting used more and more nowadays.

Small effort, great results

ZIVVER always advises you to use two-factor authentication. If you share sensitive information online you want to make sure only the right person receives this information and no one else. Taking one extra step is a small price for the certainty that you are not leaking your data. Especially in the light of the GDPR which came into effect last May: under these laws you are obliged to take the right technical measures to prevent a data leak.

Go to the GDPR Checklist
RELATED
shutterstock_395578309-2

Human error while emailing might be disastrous for your organization - Prevention is much simpler than you think!

  If hackers and cybercriminals are your biggest concern when it comes to cybersecurity, it might be time to look somewhere else for the cause of the vast majority of data leaks. It is well documented that the actual offender is that lovely and well-intended colleague sitting right next to you, and not a malicious individual in North Korea like the media often […]

Read more
Sending_or_receiving_credit_card_data_via_email_while staying_PCI_compliant

Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation. […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Idans welcome blog (2)

We are happy to announce our Chief Technology Officer: Idan York.

Idan will be responsible for vision outlining and implementation of technological strategies that align with ZIVVER’s expansion objectives. […]

Read more
Human_error_is_the_primary_cause_of_most_data_leaks_The_Dutch_lend_a_helping_hand_pointing_ out_the_cause_ZIVVER_EN_blog-1

Human error is the primary cause of most data leaks. The Dutch lend a helping hand pointing out the causes

[…]

Read more