Two-Factor Authentication

Though this isn’t a new topic, I originally posted this on a different blogging platform and later moved it to Medium. It felt like a good idea to move it here now.

This article is geared toward being understandable by less tech-savvy folks. If that describes you, or if you've ever tried to touch on the subject with anyone in that category, this article should provide some good basic info on the topic of Two Factor Authentication.

What Is It?

Generally speaking, the online services that we use regularly only require one form of authentication: a password. You tell the website who you are (your username) and then verify that you actually are who you said you are (with your password). Two factor authentication is exactly what it sounds like. Rather than having a single authentication factor, you have a second piece of information to identify yourself. Depending on the use, this may be a physical key that must be present when you type your password, it could be a fingerprint scan, or it could be a specially generated code that changes over a period of time. The most common two factor authentication for online services involves a 6-digit numeric code that gets regenerated every 30 seconds or so. Your phone or other device knows a secret about creating this code, and the online service you're using knows the same secret. When you go to a website to login, you enter your username and password. You are then prompted for the 6-digit code that is valid for that exact moment in time. Google, Facebook and many other popular sites both this method. Other services, such as Twitter, opt to send your phone a text message with a unique code when you try to login, which still requires access to your personal device.

Why Should I Use It?

If you haven't noticed, data breaches are getting a little too common these days. We're living in an era of technology and in a time when "data" is a buzzword among tech companies and news stories. Tech giants have your data, and everyone else wants to take it. Until the last several years, we have relied on passwords (and weak ones at that) to verify identities. With fast computers, it takes much less effort to crack passwords than it used to. The beauty of two factor authentication is that it doesn't matter who has your password. In order to login to my Gmail account, someone must know my username, password, and have physical access to one of my electronic devices during the exact moment he/she is trying to login.

Where Do I Start?

Some services have different solutions to this security problem, but luckily most of them support an open authentication standard. Google has created an app on iOS and Android called Google Authenticator. Getting started is as simple as going into the settings of whatever site you want to enable authentication on (Gmail, Facebook, etc.) and scanning a QR code on your computer with the Google Authenticator app. While this app does a great job of keeping things simple, it's just a little too simple for me. For instance, if I ever lose my device I have to reset all of the authentication codes for every service I use. You're also out of luck if you don't have an iPhone, iPad, or Android device.

Enter Authy. Google Authenticator did a great job of getting people to stop making excuses and start using better authentication, but that’s about as far as it went. Authy creates an account that stores all of your authorization codes so that you can get them on multiple devices. I know it seems odd to enable two factor authentication to make things more secure than a password, and then turn around and store them in an account that’s only protected by a password. The key here is that you use one lengthy, confusing, hard-to-crack password for this account. The benefit is removing the negatives from using two factor authentication and securing your online accounts. Authy has apps for Android, iOS, Blackberry, and Chrome, and they all stay synchronized with each other (and password protected). It’s also worth mentioning that the apps look infinitely nicer than the bland Google Authenticator apps.

Some sites, such as Twitter and Facebook*, offer their own solutions as well. But most places that offer two factor support the Google Authenticator/Authy standard. So go download Authy on your main device and read how to enable two factor for your Google account. What are you waiting for? You can't afford not to be secure anymore.

*With Facebook, you can use the Facebook mobile apps to generate codes, as well as using Authy or Google Authenticator.