Most of us use passwords of varying length and complexity. But with passwords, there’s always the risk of them falling into the wrong hands. A website may get hacked and the password database might get leaked or an attacker might use brute-force technique to crack your password. This way, the attacker can gain access to your account because it simply requires your username and password to access your account.
To get away with this, there is a method called Two Factor Authentication or 2FA wherein an extra layer of security is added even if the username and password are correct. In 2FA, after the correct username and passwords is supplied, the user has to provide some additional information before he’s logged into the account.
- This additional information may be some information that only the user knows (e.g. some personal information or secret question), or
- Some other data/code/device that only the user has access to (e.g. a USB drive that must be plugged in to the computer even logging in or a linked and verified mobile phone or email id where another code is sent after user has supplied the correct username/password) or
- Something that the user is or identifies the user uniquely, e.g. fingerprint, iris, voice print, face scan, etc. Such information has to be provided at the time of logging in to the system.
The most common method used for 2FA is by using application generated codes. A special mention needs to be made here of Timed OTP (TOTP) applications like Authy and Google Authenticator which can generate such codes to be used as a part of 2FA. Here you can generate the 2FA code after authentication with proper credentials (username/password) which can then be used to log into the system.
There needs to be made a mention of “Trusted Devices” in the context of 2FA. With trusted devices, you may either not need 2FA or generate some special codes which can act as 2FA.
Again, if you have recovery email or phone number set, then one may be able to skip 2FA entirely by using recovery email or phone number.
For Wikipedia entry on Two Factor Authentication, click here.
For more posts on Cybersecurity, click here.
For more posts in The Cyber Cops project, click here.