As a final comment in the password security series I have been doing I thought I would share something called Two Factor Authentication (2FA) or more generically Multi-Factor Authentication (MFA).
What is 2FA/MFA? In non-technical terms is simply means that you need to provide two or more forms of identification (the factors) to prove who you are (the authentication). The factor typical fall into three categories:
- Something you know (knowledge factors) – such as a password
- Something you have (possession factors) – such as your phone
- Something you are (inherence factors) – such as your fingerprint
While 2FA/MFA sounds complicated, it isn’t. Most people have used a form of 2FA without realizing it. When you check into a hotel you are given a room key (something you have) and a told a room number (something you know). Without both factors you cannot get into the room. This protects you if you lose or forget your room key at the pool. Sure, a criminal could try the key on every room until they found the right one but it would slow them down – hopefully long enough for you to realize the key is missing and notify the hotel office.
2FA/MFA for websites works in a similar way. When logging in you typically provide your password as you normally would, then the website will text a code to your phone (or call you with the code). You must enter that code to complete the login. The password is the something you know and the phone with the code is something you have. It is unlikely that a criminal would know your password AND have your phone.
There are variations on how this works where the “something you have” is a Smart Card or token provided by the website rather than your phone but these are typically not used for consumers due to the cost. High security environments may use biometric scanners (fingerprint, retina scanners) in place of something you have or something you know or as a third factor – a fingerprint reader that requires a password and a code sent to your phone.
For more details on MFA please see: https://en.wikipedia.org/wiki/Multi-factor_authentication
A number of websites have started offering 2FA/MFA as an additional protection for your accounts. If you are interested in using 2FA/MFA to protect your accounts see https://twofactorauth.org/ for a list of websites that support 2FA/MFA. You can search by name or by category. If the site you use doesn’t currently support 2FA/MFA you can click a button asking them to support it.
Give 2FA/MFA a try on few accounts and see if it is right for you. Strong passwords, non-standard security questions, and 2FA/MFA are the foundation of on-line account / identity protection.