Two-factor Authentication: What Is It and Why Should You Use It

Mike Cleckner

Software Engineering | Project Management • Software Development • Quality Assurance
linkedin.com/in/mcleckner

Have you ever heard of two-factor authentication and thought to yourself, “What the heck is that?”

Well, you can Google or Bing or Yahoo or Duck-Duck-Go it and find out more technical details. I’ll give you the high-level, person-on-the-street explanation in this blog post. I’ll start off by saying that I am not your cyber security expert. I don’t have thirteen letters after my name endorsing my cyber-security credentials. I’m just practical and curious and I did some searching on the web. I’m a geek and a techie. You need to be responsible for yourself and your cyber-life. Take what I write here as a starting point for you to research more into the topic and decide if it is right for you. You need to do some leg work. This is simply an introduction.

What is two-factor authentication?

Two-factor authentication is defined on Wikipedia (https://en.wikipedia.org/wiki/Two-factor_authentication) as:

… provides unambiguous identification of users by means of the combination of two different components. These components may be something that the user knows, something that the user possesses or something that is inseparable from the user. 

In your everyday life, the example is the PIN for your ATM card. The ATM card is your first level of authentication: it tells the machine that you have a bank account, the bank, etc. Your PIN (which shouldn’t be written on the back of the card!!!) is the second level of authentication. Another example is when you call your Health Insurance provider and they ask you to provide your mailing address, date of birth, and the last four digits of your social security number. Hopefully, knowing all those things in addition to your account/member number ensures you are who you are supposed to be.

So two-factor authentication boils down to using a primary and secondary method of verifying that you are who you say you are and that you should have access to this service. For services on the web, it gives you a second level of verification to ensure that you should be accessing the web site. This means that if someone managed to guess or steal your password, then they won’t automatically gain access to that service because they don’t (hopefully) have the second layer of security. 

What is that second layer?

Well it depends. For some web sites/services like Gmail, you could use a text message sent to your cellphone with a code or a token generated by an application or a phone call to your phone telling you the code to enter. It can vary from provider to provider; service to service. Basically it boils down to, some other method to ensure that the person trying to access your account/service is you. These secondary validation methods are tied to something that you (ideally only you) have access to or would require a really bizarre set of circumstances for a non-authorized person to have access to (like

you left you cell phone, with no lock code, that you use for the secondary method validation sitting next to your laptop in Starbucks when you went to the counter for another scone).

Isn’t this just going to be a pain for me? I don’t want to go through this EVERY time I log in.

Well, yes. It can be a pain, but nothing is for free right? If you want the extra security, then you’ll have to deal with the extra 5 or 10 seconds to get the secondary access-code and enter it. Boo ho, was that REALLY so bad?

Seriously, depending on what device you are accessing the service from and the kind of two-factor authentication the service provides, it is possible to tell the service to “remember” you on this device. This way you don’t have to go through the whole process again. That sounds like a great idea, right? Well, sure it is convenient, but you should think twice about what devices you enable that on. If you carry your laptop around with you, then maybe it would be better to deal with the extra layer of authentication just in case you happened to leave your laptop somewhere. With your desktop at home (or your laptop at home that never gets to go anywhere), it probably is safe to have the service “remember” you.  If nefarious computer hacking ninjas decided to invade your home and take your

computer, then I guess it might not have been a good idea. On the plus side, if you find out that your authenticated (i.e. stop asking me for the secondary password!) device is stolen or lost, then you should be able to reset the service’s two-factor authentication. That means it won’t “remember” that device anymore and ask whomever is trying to log into the service for the second layer of authentication.

Many of these service also provide multiple ways to get that second authentication token/code. Let’s say that your primary way to get the token was a text message to your cellphone, but you forgot to bring it with you, then another method can be used. 

(I can’t imagine that you would actually do that. I’m sure you got 30 minutes away from home and panicked. “Where’s my cellphone?” And motored right back home to get it.) 

Sometimes this is a set of a dozen one-time codes that you print out and put in your purse or wallet; or it could be a phone call to another number. Review the two-factor authentication abilities that are provided by the service. There should always be at least two ways for you to get that token/code. Just in case.

So why should you use two-factor authentication?

For security. For peace of mind that someone isn’t into your Gmail or sending out Tweets from your account or messing with your LinkedIn profile (You were a circus clown for three years. Interesting.) or defacing your Facebook profile. You probably don’t need to worry about it, unless your password is “password” or “123456” or something easy to guess; or you are some high profile person (like Taylor Swift, Jerry Seinfeld, Joe Rogan, or Alison Krauss) that would make you a “fun” target, but why not add that extra layer of security?

For most of us, it is a non-issue until it is an issue. Until some bozo hacks into some website’s backend server and lifts the account information. Seems to me that just happened to Last Pass (https://blog.lastpass.com/2015/06/lastpass-security-notice.html/), although don’t worry because your password wasn’t exposed (uh huh). So why not just use it at least for the services that you really care about. I recommend at least your email account (especially if it is the one you use for “I forgot my password”) and whichever social media service you really, really, really love and use frequently. 

I use it wherever it is available.

Next Steps?

Right. Where are the step-by-step for whatever service instructions? That’s right, I didn’t do that. Take a moment and simply search the internet for information on how to do it for whatever service. 

(We are living in the information age for Pete’s sake!)

Pretty much EVERY popular service on the web has this wonderful thing called HELP. Click on that and then search for “two-factor authentication”. Or use your favorite web search portal and type “two-factor authentication <service>”. 

For example “two-factor authentication twitter” (Here’s my search for that -- https://duckduckgo.com/?q=two-factor+authentication+twitter) and go with the result actually from that service (Here’s one from my results for that -- https://blog.twitter.com/2013/getting-started-with-login-verification). 

So look into it some more. Check out what is provided by your service and set it up. If you don’t like it, then you can just disable it. No big deal. 

What’s the worst thing that happened? 

You learned something new and tried it out.