6/30/2020
Reading Time: 3 minutesTwo-factor authentication (or 2FA, as they say) may sound like yet another wonky thing that you鈥檙e supposed to care about, but who knows what it even means, or even why it is important鈥 Ok, so plenty of you do know the answer to that (and its usage is increasing). But a lot of people are simply not there yet. And we all need to get there.
So here we go – let鈥檚 break it down.
First, let鈥檚 talk about logins and exactly what happens when you log into a system鈥 There are actually two things that are happening:
- The first is that you are identifying yourself 鈥 that鈥檚 your username.
- The second part is you are providing authentication 鈥 the actual proof that you are who you just identified yourself as.
Authentication is traditionally accomplished through a password (something only you should know). But, here鈥檚 the problem with that: passwords can be stolen. And from what we know about identity theft and phishing attacks, passwords are stolen鈥攁 lot! 2FA is simply providing another 鈥渇actor鈥 — another step; another method — to authenticate your identity when you login. Having that second-factor makes it considerably more difficult for a bad actor to crack your accounts.
But what鈥檚 a factor?
Factors are:
- Something you know (a password)
- Something you have (a one-time token)
- Something you are/unique to you (a fingerprint or other biometric method)
Most likely you are already using a single-factor (password) for authentication 鈥 every day in many ways. The second-factor takes that one step further by requiring a complete separate data point that is NOT recorded or cached. That something you have might be a one-time token generated on your phone, or a passcode delivered to your phone via text message. When you are using two-factor authentication, not only does a bad actor need to steal your password, they probably need to have your phone too! A bad actor can steal your password from anywhere in the world over the internet, but getting at your phone? That鈥檚 a lot harder. And that鈥檚 why 2FA has such a huge benefit.
Case in point: the stats on phishing attacks are eye-popping!
- Phishing accounts for 90% of data breaches
- “Business Email Scams” accounted for over $12 billion in losses
- 76% of businesses reported being a victim of a phishing attack in the last year
- 30% of phishing messages get opened by targeted users
- 12% of those who opened phishing emails later opened the infected links or attachments.
Without 2FA you are one phishing attack from some bad actor making havoc of your accounts鈥攆raud, destruction of data, identity theft, data ransom 鈥 you name it.
As an Information Security Professional, I sleep at night when my accounts (and my user鈥檚 accounts) are protected with 2FA.
