An advert is currently running in which a man gets his password hacked because, the ad implies, he wasn’t using a VPN (virtual private network).
The man’s password? ‘John123’.
When you’re that hopeless at creating login credentials, there’s not much a VPN can do to help. Sooner rather than later, someone will guess your password and stumble into a wealth of sensitive information.
Sadly, it’s not as though John is a made-for-TV exaggeration. There are tens of millions of people who use even worse passwords, such as ‘Password’ or ‘123456’. Even comparatively strong phrases, such as ‘CCSIT123!#’, wouldn’t take too long for a password-cracking machine to guess.
Are we all so useless? Are we doomed never to use strong phrases, despite copious guidance on password creation?
And let’s say we do all get the hang of using passwords such as ‘T50-y-o-mct15:50t’: will it make any difference, given that crooks are increasingly adept at phishing scams, malware injection and hash cracking, in which they can access passwords without having to guess them?
Perhaps it’s time we put our faith in something more robust than a password. Perhaps it’s time we finally push for the widespread adoption of two-factor authentication.
What is two-factor authentication?
Two-factor authentication, also referred to as ‘TFA’ or ‘2FA’, is a method of verifying someone’s identity, using a combination of:
- A knowledge factor (something you know);
- A possession factor (something you have); and
- An inherent factor (something you are).
This may sound complicated, but anyone with a bank card has been using two-factor authentication for years. When you pay for goods or take money out at the ATM, you must provide something you have (your card) and then enter something you know (your PIN).
Authentication factor examples
Knowledge factors are usually the base form of authentication. You type in a password, a PIN or an answer to a secret question in order to access the second factor.
Possession factors (or ‘security tokens’) are essentially keys that are inserted into a ‘lock’ (your account). The key can be physical, such as a smart card; digital, such as an OTP (one-time password); or a combination of the two, as is the case with hardware tokens.
Physical factors require users to simply present the item to the lock.
With digital factors (or ‘software tokens’), the user’s login credentials are linked to another account, usually their phone number or email address. When attempting to log in, the user is sent an OTP that they must duplicate on the login screen.
Hardware tokens work in a similar way, but they use a dedicated device for creating OTPs. Users are required to a carry a USB-like stick, which can be activated to create an OTP.
Inherent factors are usually associated with biometrics, such as fingerprint scans, and face, voice and iris recognition.
Why you should use two-factor authentication
Two-factor authentication protects you from most cyber attacks, and makes accidental breaches and opportunist hacks almost impossible.
Criminals might be willing to go to that effort for a high-value target, such as a chief executive or a public figure, but it will be too much effort in most cases.
What about multi-factor authentication and two-step verification?
Two-factor authentication is a subset of multi-factor authentication (MFA). The terms are often used interchangeably, with the only difference being that MFA can include more than two factors.
Another term that’s used alongside two-factor authentication is ‘two-step verification’ or ‘2SV’. This process requires users to provide two pieces of information, but not necessarily from separate factor classes. It usually consists of two different things you know, such as two passwords, or a password and the answer to a secret question.
‘Strong authentication’ is another common phrase. This is an umbrella term referring to any mechanism that requires users to provide something in addition to a password.
Security vs convenience
Two-factor authentication has always been a matter of offsetting security and convenience. Passwords are commonly used because they are simple and give users instant access to their accounts. There’s no need to carry around a security token and fumble around looking for it whenever you need to log on.
OTPs aren’t much more convenient, as you need to open your phone or email account, wait for the notification and then type it in.
But is that convenience worth the risk? We don’t think so, given that an estimated 2 billion data records were breached in 2018.
At some point, organisations and individuals must value the security of their information over convenience. Besides, is waiting a few seconds for an email containing an OTP any less inconvenient than remembering dozens of complex passwords or logging in to a password manager?
Are you doing enough within your organisation when it comes to security.
If you would like to discuss the topics covered in this article or any alternative issue relating to IT Support, please get in touch with our team today:
T: 0161 428 2088