Many of us have been living with two-factor authentication for years. It seems that more and more sites have adopted it in the last few months. So, if you’ve never used it before you’re probably using it now. But is it working? In order to understand the answer, we first must ask…
What is two factor authentication?
It’s actually not a new idea and it’s not as complex as you’d think. Most of the things you do on the internet use “one-factor” authentication. In other words, you put in a username, and the site asks for a password. Get the password right, and you’re in. But you might have encountered a time when your bank or credit card company needed to text you a special code so you could get into your account. That second “factor” is generated on the fly so they can be sure you’re really you.
Two factor authentication depends on the company knowing more about you than simply a password. They need to know something about you like the answer to a challenge question, or in the case of text messages, they need to know your phone number. It’s kind of annoying, to be honest. I mean let’s get it all out there — most of us leave our social media accounts logged in or at least save the passwords. Our banks smartly don’t let us save the password, but some credit card companies do. Two factor authentication is like a second lock on the door: it makes us feel more secure but it’s a drag every time we have to open up.
How two-factor authentication works for most of us
The most common form of two-factor authentication today is a code sent to your phone. Most of us have already experienced this. In past years, it was also common to use some sort of test to see if you were a real person. That led to your being shown photos and being asked to identify (for example) all the images with boats.
Both of those are forms of two-factor identification and both exist as a reaction to some sort of fraud that’s taken place. And, neither is perfect.
It’s only as good as you let it be
Two-factor authentication is only as secure as you make it. If there’s a challenge question and the answer is available online by searching your social media profiles, that’s not going to help. A message sent to your phone is only secure if you haven’t lost your phone or if someone else hasn’t unlocked it. Biometric identification like a fingerprint is pretty safe, assuming someone hasn’t lifted your fingerprint or even worse, cut off your hand.
The weakest form of two-factor authentication is challenge-based. In other words, the one where they ask you the name of your first-grade teacher. The idea behind challenge-based authentication is that if it happened before 2000, it’s probably not online. So things like your first car, the name of your first pet, that sort of thing aren’t searchable. Of course if you were born in 1996, chances are that some deft searching will reveal the name of your first grade teacher and you just bought your first car not that long ago so that’s online too. I don’t think that challenge-based authentication is going to last much longer.
Right now text messages seem to be the way to go — the web site sends a code to your phone and you have to key it in to continue. Windows 10 does this, but considering that people leave their phones in their desks sometimes, that seems kind of dumb.
The real problem
But the real problem is that there is no really good form of authentication. Passwords must impossible to remember. Otherwise, they’re easily hacked. Biometrics are too easily fooled. Text messages transfer over an open data connection and questions don’t work. More than anything, it’s just an incredible hassle to go through all of that just to see if your bud from high school is still ranting about something political. What’s the answer? I don’t know. If I did, I’d be a lot richer.