Much has been said in recent stories about two-factor authentication (also known as "2FA"), with Instagram, Nest, Apple, Ebay, and many others making it available on their respective websites. A solution that sounded nerdy as recently as a few years ago is starting to sound almost mandatory for average folks. So what is two-factor authentication and why should you care?
All of us are accustomed to using passwords for our various software and internet accounts. We more or less hate them, so we tend to use easy passwords wherever possible. "fluffy2014" isn't too tough to crack, however. Your Facebook posts are full of cute photos of fluffy starting in 2014. Fluffy may be a lousy name for your pet porcupine, but it's a really lousy password because it's a dictionary word. Adding numbers doesn't make it hard either. Hackers can automate the process and guess it quickly enough.
Worse still, you hate trying to remember your passwords so you begin to use fluffy2014 everywhere. This is really bad since one compromised password database gives hackers the clues they need to try that same username/password combination everywhere else.
So now you get clever... you start using better passwords, but you keep them in a spreadsheet on your PC. If your PC gets a virus, it's possible the bad guys will find "passwords.xlsx" and have a look. Now you really do have all your eggs in one basket.
Anything that requires only a username and password is considered "single-factor authentication". If hackers can guess your username and password, your data is theirs. Or in hacker parlance, you will get "pwned". If you use that same username and password elsewhere, it's only a matter of time before they pwn the rest of your accounts. There simply has to be a better way.
This is where multi-factor authentication in general (or two-factor authentication in particular) can be helpful. With 2FA, the program or website adds another step to the logon process - usually a text message or email with a code. You have probably already experienced this, and are likely somewhat annoyed by it. Don't be. Though 2FA isn't perfect, It will almost certainly prevent hackers from getting access to your accounts.
If you have been around business banking, odds are you've used a token, or RSA key. This is a small pendant device that cycles through a series of random numbers (usually six numbers) which you need to have in front of you before you can log on to the bank's website. The numbers change every 30 seconds or so, making it necessary to log in quickly or wait for the count-down timer to signal a new number. Without the key (and the number in the display), you cannot access your account.
RSA keys are pretty nifty, but they're not cheap. A few years ago, programmers started to realize that they could generate these numbers for you and send them to you in an email or via SMS to your mobile phone. The expiration time of the resulting key is a bit more generous, but you still have a limited amount of time to enter it on the logon page before it expires and you need to request another. This second factor makes it far more difficult for hackers to get into your accounts - even if they know your logon information.
The take-home message is this - embrace two-factor authentication wherever it is offered. I still recommend strong passwords, but multi-factor authentication is a real difference-maker in the war against data theft.