2FA: what is it and why would you use it?

If you do some research in online security, changes are the term 2FA will pop up. Although the term is unknown to many people, it is likely that they encounter this technique on a daily basis. For instance when they use online banking or when working on a corporate network. This article will tell you what 2FA is, how it works and which gains it provides you.

Two time’s a charm

The abbreviation 2FA stands for “two-factor authentication”. 2FA is a security system that asks the user more than just a single username and password. Using 2FA truly gives you a second layer of security to control the identity of the person trying to get access. Unauthorized people who are only in the possession of the first factor (usually the username and password) will not get access to personal data.

A good example of 2FA is found in online banking: in order to carry out a transaction, you need a TAN-code (Transaction Authentication Number) that you receive by SMS. In itself this code is useless, but it conforms that the person taking the action is in the possession of the mobile phone that is connected to this account. This system makes it very likely that the person initiating the transaction has the correct identity.

Just a password

Why wouldn’t you solely trust on a password? To many users this seems a simple, swift and safe method. However, as it turns out, it is not easy to create and manage a strong password. Passwords are vulnerable to threats, both from within (the colleague who keeps his login details on a post-it on his desk) as well as from the outside (hackers). Sure, a password can be part of a solid defence system, but a system that uses more than just one factor is many times safer.

Different types of 2FA

Authentication can occur based on different factors. These factors can be divided into three categories:

  1. Something the user knows. For instance a password, PIN or other information that the user has previously shared with the system.
  2. Something the user has. Think of a mobile phone or an access card.
  3. Something the user is. He or she can be recognized based on a fingerprint, their voice or their face.

We use the term 2FA if a system combines factors from two different categories, for instance something the user knows with something the user is. A system that demands three different factors of authentication is also a possibility. Each extra factor ensures more certainty about the identity of the user.

Different types in practice

There are systems that ask for 2 sets of passwords, for example when you want to login to an account and subsequently want to open a file. Although we are talking about two different passwords, this is strictly speaking not 2FA but SFA (single-factor authentication) because only one type of factor is being used. People tend to choose this type of authentication in many cases because of the user experience. The biggest disadvantage here is that passwords can be shared with other people, so by using only the first category other people can still gain access to your account, files or other information that should be protected.

Two-factor-authentication asks the user to take one more step, but results in a more safer situation.  We do not see the ‘real deal’ so often in practice, because many users are not used to taking this extra step. Authentication based on biometrics (what the user is) is only being used by big companies and government institutions. Employees at Schiphol Airport for instance need both a password and a successful iris scan to get behind customs. Fingerprints (or in the case of the new iPhone: facial recognition) used as SFA to unlock devices, is getting used more and more nowadays.

Small effort, great results

ZIVVER always advises you to use two-factor authentication. If you share sensitive information online you want to make sure only the right person receives this information and no one else. Taking one extra step is a small price for the certainty that you are not leaking your data. Especially in the light of the GDPR which came into effect last May: under these laws you are obliged to take the right technical measures to prevent a data leak.

Go to the GDPR Checklist
RELATED