INTERNET SECURITY UPDATE: Two-Factor Authentication and Multi-Factor Authentication

In the mid-1980s, when I began my journey with computer electronics, people did not have multiple online accounts like they do today. If you had any kind of computer-related “account,” you were probably connected to a government agency, research facility, or some sort of academia, using ARPANET, CSNET OR NSFNET, the forerunners of the modern Internet.

Alternatively, if you were like me and limited to more modest computing aspirations, you used a “home” computer (mine was a Commodore 64) and connected to “Bulletin Board Systems”, which were similar to of the modern Internet, using a counter. – Setting up the modem through telephone networks. You can also subscribe to consumer-oriented network services such as FidoNet or Compuserve, which charge by the minute.

To access all these wonderful technologies, you used, just like today, an “account”, which consisted of a username (either assigned or invented by you) and a password. These two things unlocked all the doors to the Internet that he had. The password requirements were simple; security was not a major consideration and cybercrime was relatively rare.

Fast forward to today, and things have changed dramatically. Even though online crime has exploded to colossal pandemic proportions, we’re still using usernames and passwords. Although password requirements have become more stringent and security has come into focus, we need more in the fight to stay safe online; usernames and passwords are no longer enough. Enter 2FA and MFA.

Two-factor authentication (2FA) and multi-factor authentication (MFA) are terms that describe essentially the same thing: a way to present additional evidence (called “factors”) to prove that you are who you say you are when you try to access an online service. The whole process is called “authentication”, ie you are in good faith, or “authentic”, the real “you”.

The old username/password model uses only one “factor”, which is the password. One reason to have another “factor” is that so many password databases have been hacked and exposed to anyone who cares to look. Some people are also guilty of using weak, easily guessed passwords that they never change. Another reason to need another “factor” is that many people use the same password for all their accounts. Having more factors makes it harder for the wrong person to access an account.

Factors include something you have (such as a bank card), something you know (such as a password or PIN), something you are (biometric, such as a fingerprint or other physical characteristics unique to you), and somewhere you are (such as connected to a specific network or location information such as GPS).

The most common use of multi-factor authentication is to send a code in a text message to your phone when you try to log into an online account. For example, you log into Amazon by entering your password (the first factor). Amazon sends you a code that you must enter (the second factor) and then you are allowed to use your Amazon account.

Unfortunately, although still widely used, using text messages as a way to obtain MFA/2FA codes is no longer advised. The bad guys of the internet have found many different ways to hack the text method. Microsoft actually issued an alert last November saying that, due to security concerns, people should move away from text message-based 2FA and start using authentication apps like Authy, Microsoft Authenticator, or “token secure” like the YubiKey.

Next column: how to use MFA/2FA tools like Authy and Yubikey.

Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches community training seminars on Internet safety. He can be reached at 405-919-9901 or internetsafetygroup.org