The Basics of Two-Factor Authentication


Two-step authentication may be better than many of the alternatives, but it's no iron fortress.

There’s a new technology that’s capturing headlines, and it’s not the latest iPhone or the newest tablet. In fact, it's a security measure called two-factor authentication. Thanks to a number of breaches of major websites, it's a hot topic in digital security, and everyone’s talking about the possibilities.

With a never-ending stream of hackers and cybercriminals across the globe finding new chinks in IT armor every day, and an increasing amount of digitized, sensitive information to plunder, it's essential for both individuals and businesses to strengthen their electronic locks. But is this strategy enough, or are we simply complicating things for end users without providing a real security gain? (Find out what hackers have been up to in The Top 4 Most Devastating Twitter Hacks.)

What Is Two-Factor Authentication?

Two-factor authentication is exactly what it sounds like: It’s a sign-in process that requires two steps to gain access. The first factor is your password, and the second is a unique numeric security code that’s texted to your phone. This way, the two pieces of information needed to get into the account are stored in two separate places, your memory and your mobile device.

In two-factor authentication, in order to access an account for the first time from a new device, a text message containing a one-time security code is sent to your phone each time you try to log in. You’re then required to input the code to complete the login process. Some services, like Google, allow users to generate a series of one-time use codes that you can write down and keep with you, just in case you don’t have your phone on you or the battery dies.

It may be a bit of a hassle to perform this extra step every time you want to log on to an account from a different piece of hardware, but two-factor authentication is a lot harder to crack than a password alone. Many have found this method worth the slight inconvenience, especially businesses and mobile employees who deal with sensitive data online. (For more insight, check out 7 Sneaky Ways Hackers Can Get Your Facebook Password.)

Who's Using Two-Factor Authentication?

It only makes sense that many banks are increasingly using this technology for their online services. In addition, a few of the heavy hitters in tech have been early adopters of two-factor authentication. Both Google and Facebook have offered this feature since 2011, and Dropbox and Amazon Web Services began using it in 2012. In 2013, Apple and Microsoft joined the two-step party, and Twitter is expected to roll it out soon too.


If you’re wondering why your Facebook and Gmail accounts work just fine with your password alone, it’s because two-factor authentication is not the default setting for most services. It’s usually offered as an optional security measure, and you’ll need to poke around the security settings for your various accounts to find it.

The Current Security Landscape

Two-factor authentication is just starting to gain traction, although it’s been around for quite some time. In fact, ATM cards are a form of this security method – they require something you carry with you (your debit card) and something you have memorized (your PIN).

Right now, the more popular forms of security include:

  • Passwords Alone
    Obviously, two-factor authentication is more secure, particularly because many people are still using weak password creation methods like assigning common whole-word passwords, or using the same password for multiple accounts. (For insight into how passwords are cracked, check out 7 Sneaky Ways Hackers Can Get Your Facebook Password.)
  • Security Tokens
    This is actually a form of two-factor authentication, but it’s expensive to implement and therefore not as popular. The method requires a physical token, such as a key fob or swipe card, to gain access.
  • Encryption and Digital Signatures
    This method scrambles the information received by the person accessing the account until their credentials are verified. Most credentials are in the form of passwords.
  • Remote Wiping
    A security measure common for mobile devices, remote wiping allows users to erase all the data on the device’s hard drive by entering a password or PIN from another device. Many IT professionals are skeptical about the efficacy and reliability of remote wiping.

Is This the Holy Grail?

There’s no question that two-factor authentication is more effective than passwords alone. But will it stop every attempted breach and turn our accounts into iron fortresses from which no data can escape?

Nope. Unfortunately, no security measure is 100 percent effective. The good news is that most of the risks associated with two-factor authentication are a result of human error, which means they can be corrected. Phishing scams, such as the one responsible for the recent AP Twitter hack, have evolved into highly sophisticated operations that may be able to thwart a two-step login process by tricking the user.

So, if you implement two-factor authentication, and learn to play safe online, your data will be just about as safe as it can get.


Related Reading

Melissa Rudy

Melissa Rudy is a versatile copywriter with over 12 years of experience creating compelling and polished content for online, print and mobile channels. Her expertise includes content creation for websites, blog posts, press releases, product descriptions, newsletters and more. He has a strong background in e-commerce, retail and social media. From 2003 to 2008, Melissa worked at Frontgate/Cornerstone in web content management roles. In that role, she coordinated online presentations for thousands of products, edited text for the web, managed daily website operations, and oversaw all online content to ensure accuracy and usability. He also created text for websites, emails…