Passwords (even strong ones) can sometimes fall into the wrong hands. To minimize the risk of granting access to an impersonator who might have managed to obtain someone else's username and password, you might need to employ what is known as two factor authentication (2FA). What is it?
What two factor authentication is not
Two factor authentication or 2FA is a combination of two different methods of authentication. Password authentication, for example, is one method. So if you add another method to that, then you already have two factor authentication? Not really.
You see, password authentication is a knowledge-based method. It requires something the user knows, i.e., his password. If the second method of authentication is still knowledge based, say a secret question like "What is your mother's maiden name", then the combination wouldn't qualify as two factor authentication.
Combining two passwords, likewise does not qualify as two factor authentication. Again, because it authenticates a person based on what the person knows.
No matter how many secret questions you ask the user, the security of your authentication wouldn't increase that much. That's because there are now many ways for an attacker to obtain the information only the user is supposed to know.
In fact, that's why hackers were still able to get past the IRS' multi-step Get Transcript authentication. They first aggregated the needed information from other sources (like social media sites). Once they had the information they needed, passing through the question-based authentication process became a walk in the park.
Factors of authentication
There are currently three commonly used factors of authentication:
Knowledge factors - This is the factor we were discussing earlier. It authenticates based on something the user knows. Most of the time, that something is a password. It can also be a personal identification number (PIN) or the answer to a secret question.
Possession factors - As its name implies, a possession factor of authentication authenticates based on something the user has. Examples of this "something" include: a private key, a client digital certificate, a smart card, or an ATM card.
Inherence factors - Finally, an inherence factor of authentication authenticates based on something inherent to the user. The biometric methods that we see in movies, like retina scans, voice recognition, and fingerprint reads, are examples of this type of authentication.
It is when you combine any two of these three factors that you're able to arrive at 2FA. For example, all these combinations are considered 2FA:
- password and retina scan;
- password and thumbprint read;
- private key and password;
- Card and retina scan
More specific examples of two factor authentication
Technically speaking, an ATM card, by itself, already exemplifies two factor authentication. The magnetic stripe at the back of the card already contains the card owner's name and account number. As soon as the card's inserted into the ATM machine, the machine will automatically recognize the card's owner.
Ideally, that card should only be in the possession of the card owner. So, as you can see, this part of the ATM card authentication process is still based on a possession factor. At this point, it's still just single factor authentication.
However, after the user enters his/her PIN number, which now is a knowledge factor of authentication, the entire process would now qualify as two factor authentication.
Another two-factor authentication-in-one-object is mobile phone two-factor authentication. You're probably familiar with the ones used by Microsoft, Google and Apple, wherein you're sent a one-time code to verify.
Another variety of mobile 2FA is the one used by JSCAPE MFT Server, which requires the user to enter his/her username and password upon login and then reply personally to a phone call that confirms whether the login was legit.
The advantage of using two factor authentication
If it still isn't obvious at this point, the advantage of using 2FA is that it's more difficult to deceive. If we recall the IRS breach (see link above), the attack compromised no less than 330,000 accounts. Because the authentication process was purely knowledge-based, all the attackers had to do was obtain the needed information.
At this day and age, where almost every bit of information has been digitized and made accessible through networks, that's no longer so hard to so. In fact, many usernames and passwords, obtained from previous hacks, are already shared or sold in hacking forums and other dark corners of the web. The answers to those secret questions, on the other hand, can likewise be mined from social media sites.
The hackers would have had a harder time if, instead of those secret questions, the IRS reinforced the password authentication with perhaps a possession factor like phone authentication or maybe a private key or digital certificate. Perhaps difficult to implement. But also difficult to hack. Your choice.