What is Ransomware
ICANN publishes the DAAR system methodology white paper and reviews

What is Two-Factor Authentication?

This post originally appeared at ICANN blog on  13 July 2015

Today, I'll explain two-factor authentication, how this improves the security of your online accounts or logins, and examples of where you'll find two-factor authentication in use today.

Begin at the beginning: What is authentication?

Authentication is a security term for demonstrating that you are who you claim to be. The formal language used to describe this activity is "verifying your identity".  Throughout military history, sentries posted at a military encampment would challenge anyone who approached to say the password or watchword before admitting them to the camp. Today, we commonly use typed passwords to verify our identities. In both cases, the password is the single authenticating factorrequired to access a login, email, bank, or online merchant account.

Passwords have proven time and again to be vulnerable to attacks. They can be guessed, stolen, intercepted or even traded away for candy bars. Entire databases of passwords have been breached, and such breaches are occurring altogether too frequently.

What if that stolen password wasn't the only "factor" an attacker needed to access your account? Suppose he needed something else?

This is the principle behind multi-factor authentication: In addition to knowing a password, you must use something else to demonstrate that you are who you claim to be - and not someone who's stolen a password.

Factors: Something You Know. Something You Are. Something You Have.

A password is something you know. But, as we've established, others can learn it or steal it.

16021501609_b0c9f5a8f0_q
Image by Hedeyo Hamano

A biometric – your fingerprint, iris, facial image, voice pattern, even your DNA – are things that youare, and these are uniquely "you". Today, many tablets, mobile phones or laptops have biometric readers as a second or substitute authentication factor. However, biometrics are less common as a second factor for network, application or account logins as many people are reluctant to share something as intimate as a biometric for every account they create. The reasoning behind this is simple: ,the more "copies" of your biometric, the less unique it becomes and each database where a copy exists is a potential target for an attacker.

6245647402_04d039d735_q

Today at least, people appear to be more willing to use something they have – a mobile phone or a special hardware device called a security token – as a second factor for authentication. With two-factor authentication (also called two-step verification), you must demonstrate that you know the password and that you possess the token before you are allowed to access an account or service. You typically do this by responding to a challenge: a popup or web form asking you for a number that is displayed on the security token or for a number sent as a text to your mobile phone. The combination of password and security token (phone) is more difficult for an attacker to obtain. This makes accounts that use two-factor authentication more resilient to attacks.

Sounds Good! Sign me up!

Many corporate or merchant accounts, online financial services, social networking platforms ICANN accredited domain registrars and even crypto-currencies offer two-factor­ or token authentication. A reasonably current and accurate list of multi-factor authentication sites and services is hosted at https://twofactorauth.org/. I encourage you to check the list, see where you can use multi-factor authentication, and take advantage of the added security it provides.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)