Two locks are better than one. The same is becoming true in the online world, where individuals and organizations are being encouraged to augment passwords with a second layer of security. This two-step process, called two-factor authentication, requires the user to supply both a password and a second type of verification.
There is very little research that looks into how many people are using two-factor authentication, but Duo Security estimates that 6.5 percent of all Google users had enabled the enhanced security procedures by mid-2015. (Duo warns that its estimate is very rough and based on a number of guesstimates.) Even without hard evidence, there is a very real sense that two-factor authentication is growing in popularity, especially after the federal government began promoting it as part of its National Cybersecurity Awareness Campaign last year.
More and more research shows that passwords alone are not enough to protect online identities and accounts. Entrepreneur reports that 90 percent of all employee passwords can be hacked within six hours, and 65 percent of people use the same password across all sites and services. In addition, passwords can be stolen through no fault of the user.
What Is Two-Factor Authentication?
Two-factor authentication, as its name implies, requires a password and another step for users to gain access to online services, such as email and social media. The second step must be a fundamentally different factor than the first. For example, since passwords are based on information, the second factor cannot be based on information as well. Someone who has access to a user’s password may also be able to guess the answers to the user’s security questions (i.e., “Where were you born?” and “What is your mother’s maiden name?”).
The most common second factor usually revolves around the idea of possession — that is, the user must own a device through which he or she can confirm access to the online service or information. It’s also possible for the second factor to be based on biometrics, requiring a facial recognition scan or fingerprint before access is granted.
The three factors, then, are:
There’s a difference between two-factor authentication and two-step authentication, although some people mistakenly use the terms interchangeably. Two-factor authentication is preferred because it requires information in addition to possession or biometrics. Two-step authentication may simply require two pieces of information.
How Does It Work?
In many cases, two-factor authentication is a seamless process that, while not as quick as simply entering a password, poses very little inconvenience. Here is the most common process for two-factor authentication:
This process meets the requirements of two-factor authentication because it relies on both knowledge of the password and possession of a device that can be used to verify that the person signing on is the actual owner of the account. If someone knows the user’s password yet does not have access to the user’s cellphone, he or she would not be able to access the account.
As security needs grow, it’s likely that two-factor authentication will evolve into multi-factor authentication requiring three or more verification elements. In addition to the password, possession of device and biometrics, users may be required to log in from a particular location or during a specified time window.
In addition, biometric factors will likely grow more sophisticated. Behavioral biometrics and keystroke dynamics are emerging fields that will likely be able to verify a user based on how someone walks, talks or types.