What is two-factor authentication and how do I use it?

This is the first post in a weekly series on the Clef blog. What is That: 5-Minute Blogs on Understanding and Using Security Concepts. 

Two-factor authentication seems to be the hot new thing these days. Twitter has it. Facebook has it. Clef is two-factor. The thing is, all of these systems look different — how can they be the same?

I’m here to do two things: (1) give you a quick, easy run-down on what two-factor authentication is and (2) tell you why, and how, you should enable it on your favorite sites.

What is two-factor authentication?

According to Wikipedia,

two-factor authentication is an approach to authentication which requires the presentation of two of the three authentication factors: a knowledge factor, a possession factor, and an inherence factor.

Key take away: for any login process to be 2-factor, you must provide two pieces of information or identification. So, what are the different types?

Knowledge

The knowledge factor is the most common factor. It can be a password (like the one you type to log into Facebook), a PIN (like your Clef PIN), or a secret question. In one-factor authentication systems like the ones you’re probably used to, knowledge is usually the only factor.

Possession

Lately, possession has become a more commonly used factor in two-factor systems. To prove possession, you need to verify that you have a device, which you’ve previously registered as owning. You can do this verification by typing a code from a text message or, in the case of Clef, simply syncing a wave!

Inherence

The inherence factor may be the one we hear most about, though it often goes by another name: biometrics. Whether it’s finger print scanning, voice recognition, or heart rhythm verification (yes, that’s a thing), the inherence factor is about providing a piece of yourself.

 Factor-type gotcha

One of the most common flaws in two-factor authentication systems is a lack of factor diversity. For instance, in the authentication portals of some online banking systems, users are prompted for a password and a security question every time they log in. While this login requires two pieces of information, both verify the same factor. Yes, it’s better than one, but it’s nowhere near as secure as a two different factor types and technically cannot be classified as two-factor authentication. If you know anyone that does this, let them know it’s bad (and let us know in the comments)!

Different implementations

Not all implementations of two-factor authentication are the same — even when they use the same factors. For instance, Facebook’s system uses a password as the primary factor (knowledge) and a text message to your phone with a 6 digit code you enter (possession of your phone) as the secondary verification factor. At Clef, similar to a debit card, we use a 300 character digital signatures generated by your phone as the primary factor (possession) and a PIN as the secondary verification factor (knowledge). Different implementations have pros and cons (we’ll dive deeper into this in a later post), but two-factor authentication is always better than one-factor.

Why is two-factor authentication important?

Passwords are broken. Every day, they are getting easier to crack and less secure for users. Two-factor authentication systems provide an additional layer of security by requiring an attacker to obtain two distinct pieces of your identity. While not impenetrable, hacking your accounts becomes much harder and large-scale password database attacks become less economically viable (because even if an attacker gets 10 million passwords, they still need to get the phones or fingerprints of every user).

How can I use 2-factor authentication?

While not all sites provide 2-factor authentication as an option, many do. Lifehacker has a great article on setting up 2-factor authentication on all of your sites.

If you want two-factor authentication on WordPress, check out Clef for WordPress — the easiest, cheapest (free), password-less two-factor authentication available.