Editor’s Note: This column was written by Peter Pelland for WOODALLSCM.com. Pelland is the CEO of Pelland Advertising, a company that he founded in 1980 and that has been serving the family camping industry for over 35 years. Learn more about Pelland Advertising at www.pelland.com.
Many of us tend to resist anything that we think will make our daily routines more complicated. That is why there are still people reading this who use the same password — camping 123!, or something similarly unsecure — on just about everything. I have already written extensively on the importance of using secure passwords and a unique password for every application or website, so I will try not to beat a dead horse on that topic.
What I want to address in this column is why you should embrace two-factor authentication (2FA) over single-factor authentication (SFA) whenever possible. Online, SFA simply requires a password to gain access to a site or service. Two-factor authentication, on the other hand, requires an added step. It may at first sound like a new concept, but it has been a part of our lives in one form or another for decades.
For example, when you use an ATM or your debit card, in addition to having direct access to the card, you will need to enter a personal identification number (PIN). When you pass through TSA at the airport, you need to show not only your boarding pass but another form of positive photo identification. And to drive away in a car, the door must be unlocked, but you will also need either the key or key fob that matches that vehicle. Two-factor authentication is not that new a concept after all, is it?
In today’s modern applications, there are several forms of two-factor authentication:
• Something you know — a password, the last four digits of your social security number, or the answer to a secret question. (Let me caution you against ever providing your social security number to anybody other than the Social Security Administration, the Internal Revenue Service or your state tax authority, and possibly your bank. Let me also caution you against ever playing one of those common social media games or quizzes where you might be inadvertently disclosing the answer to what might also be a secret question.)
• Something in your possession — an RFID card, key fob, or your phone.
• Something that is part of you – biometric factors such as fingerprint authentication, voice recognition, facial recognition, or retinal scanning.
• Your location – which may be based upon your IP address or GPS location.
To be effective, 2FA should rely on a combination of two (or more) of these authentication factors. For example, because a password and an answer to a secret question are both knowledge-based bits of information, their combination results in a rather weak form of 2FA that most security experts would simply consider SFA.
Most commonly used today, 2FA takes the form of a one-time authentication code that is sent by SMS (short message service), an installed app, email, or voice. The code, which expires after a short period of time (usually 30 to 90 seconds), must then be entered into the original application or website on what might very well be a second device.
This means that if somebody, for example, stole your laptop computer, then also somehow stole the login ID and password for your online banking, they would also need to have stolen your phone and knew the password or other means of unlocking that phone before they could even think of transferring funds out of your account.
In my instance, in order to access my online banking, a thief or hacker would first have to know the unique username for my account (which according to Dashlane’s “How Secure Is My Password?” website would, in itself, take 100 years to crack), then know the password which would take 100 million years to crack. Alternately, they could try to hack into my LastPass password safe, with a master password that I can easily remember but that would otherwise take at least a billion years to crack (but which I still change on a regular basis), and then run into a firewall when their IP address was not recognized and whitelisted.
In all honesty, about the only way that a hacker could access my password safe would be to come into my office and kill me while I was at my computer with LastPass open. The only other way to access my bank account would be if my bank itself had been hacked (which is why you want to proactively change your passwords on a regular basis) or if I had carelessly used my debit card at a gasoline pump or ATM kiosk that had a card skimmer installed, fell victim to a phishing scam, or allowed malware to be installed on my computer or network. These latter scenarios are just as unlikely as the hacker coming into my office and killing me.
Is two-factor authentication inconvenient? Absolutely, but it is far more inconvenient to have your funds or even your personal identity stolen.
Many online services now either offer the option or require the use of 2FA. These include Amazon, Facebook, Twitter, Dropbox, PayPal, Apple and Microsoft. Most have 2FA turned off by default but provide instructions (usually easy to find under security settings) for enabling. If given the option, use it. If given the choice between SMS or a smartphone app, an app is more secure. Yes, there is the added time required to install the app, but once again we are talking about minor inconveniences. The smartphone app is then typically paired to other devices through such means as scanning a QR code that is displayed on the first device.
Is TFA totally secure from hackers? Of course not. For this reason, three-factor authentication is commonly used in highly secure environments. Look at it this way, two generations ago, we commonly drove cars without seatbelts.
When seatbelts were first introduced, they were only lap belts, without a shoulder component. Today, most of us would not think of buying a vehicle without multiple airbags, and most new cars include a variety of added safety features, such as collision avoidance and automatic braking.
We are living in a dangerous world, and common-sense dictates that we take every reasonable security precaution available.