What is two factor authentication?

All of a sudden everyone is talking about it. It certainly seems like the world is a scarier place than it was just one year ago, and the companies we trust are taking steps to make sure that we’re as secure as we can be.

A couple of weeks ago, several key web sites turned on what they called “two factor” authentication, saying it would be safer in the event of hacks or other nastiness happening to your account. Which of course led the rest of us to wonder… “what is two factor authentication?”

It’s actually not a new idea and it’s not as complex as you’d think. Most of the things you do on the internet use “one-factor” authentication. In other words, you put in a username, and the site asks for a password. Get the password right, and you’re in. But you might have encountered a time when your bank or credit card company needed to text you a special code so you could get into your account. That second “factor” is generated on the fly so they can be sure you’re really you.

Two factor authentication depends on the company knowing more about you than simply a password. They need to know something about you like the answer to a challenge question, or in the case of text messages, they need to know your phone number. It’s kind of annoying, to be honest. I mean let’s get it all out there — most of us leave our social media accounts logged in or at least save the passwords. Our banks smartly don’t let us save the password, but some credit card companies do. Two factor authentication is like a second lock on the door: it makes us feel more secure but it’s a drag every time we have to open up.

And of course two-factor authentication is only as secure as you make it. If there’s a challenge question and the answer is available online by searching your social media profiles, that’s not going to help. A message sent to your phone is only secure if you haven’t lost your phone or if the phone network hasn’t been hacked. Biometric identification like a fingerprint is pretty safe, assuming someone hasn’t lifted your fingerprint or even worse, cut off your hand.

The weakest form of two-factor authentication is challenge-based. In other words, the one where they ask you the name of your first-grade teacher. The idea behind challenge-based authentication is that if it happened before 2000, it’s probably not online. So things like your first car, the name of your first pet, that sort of thing aren’t searchable. Of course if you were born in 1996, chances are that some deft searching will reveal the name of your first grade teacher and you just bought your first car not that long ago so that’s online too. I don’t think that challenge-based authentication is going to last much longer.

Right now text messages seem to be the way to go — the web site sends a code to your phone and you have to key it in to continue. Windows 10 does this, but considering that people leave their phones in their desks sometimes, that seems kind of dumb.

But the real problem is that there is no really good form of authentication. Passwords need to be impossible to remember or else they’re easily hacked. Biometrics are too easily fooled. Text messages transfer over an open data connection and questions don’t work. More than anything, it’s just an incredible hassle to go through all of that just to see if your bud from high school is still ranting about something political. What’s the answer? I don’t know. If I did, I’d be a lot richer.