X

Two-factor authentication: What you need to know (FAQ)

Twitter's got it. Apple's got it, too. Google, Microsoft, Facebook and Amazon have had it for a while. But why's two-factor authentication important, and will it keep you safe?

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Jason Cipriani Contributing Writer, ZDNet
Jason Cipriani is based out of beautiful Colorado and has been covering mobile technology news and reviewing the latest gadgets for the last six years. His work can also be found on sister site CNET in the How To section, as well as across several more online publications.
Seth Rosenblatt
Jason Cipriani
5 min read

You may not know it, but you probably already use two-factor authentication in the physical world. This explanation of what it is should help convince you why it's a good idea to use it with mission-critical online services, too.

Watch this: Twitter's advice to media after high-profile hacks

Two-factor authentication, or 2FA as it's commonly abbreviated, adds an extra step to your basic log-in procedure. Without 2FA, you enter in your username and password, and then you're done. The password is your single factor of authentication. The second factor makes your account more secure, in theory.

"Twitter made the decision to use SMS [to deliver its second factor] because it makes sense from their position," said Jon Oberheide, chief technology officer of Duo Security, which uses apps to prove identity. SMS is "universal in some respects; all you need is a mobile phone."

But Twitter has faced some backlash, he said, because many of the highest-profile Twitter hacks have been against corporate Twitter accounts.

"Two-factor authentication does help, but Twitter is a high-value target, and it needs to be protected like one," said Jim Fenton, chief security officer at OneID, an enterprise password replacement system.

Here's a rundown of what two-factor authentication is, how it can work for you, and what its limitations are.

What is two-factor authentication?

Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. The three types are:

  • Something you know, such as a personal identification number (PIN), password or a pattern
  • Something you have, such as an ATM card, phone, or fob
  • Something you are, such as a biometric like a fingerprint or voice print

How old is two-factor authentication?

Older than life itself.

OK, not really. But 2FA is nothing new. When you use your credit card and you must enter in your ZIP code to confirm a charge, that's an example of 2FA in action. You must provide a physical factor, the card, and a knowledge factor, the ZIP code.

But just because it's been around for a long time doesn't mean that it's easy to set up and use.

Wait, it's hard to use?

It definitely adds an extra step to your log-in process, and depending on how the account vendor, such as Twitter, has implemented it, it can be a minor inconvenience or a major pain. Much also depends on your patience and your willingness to spend the extra time to ensure a higher level of security.

Fenton said that while two-factor authentication makes it harder to log in, it's not "hugely" more so.

"An attacker might be able to collect a cookie or an OAuth token from a website and essentially take over their session," he said. "So, 2FA is a good thing, but it does make the user experience more complicated...It's done when you're logging into an account on your device for the first time, for example."

Will two-factor authentication protect me?

Well, that's a loaded question when it comes to security.

It's true that two-factor authentication is not impervious to hackers. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA revealed that its SecurID authentication tokens had been hacked.

Fenton explained both sides of the effectiveness problem. "The thing that concerns me as a security guy is that people don't look at what the cause of the threats might be. 2FA mitigates the problems, but a lot of awful attacks can run on 2FA."

At the same time, he said, two-factor offered more protection than logging in without it. "When you make an attack harder, you're disabling a certain subset of the hacker community," he said.

How is 2FA vulnerable to hackers?

To hack two-factor authentication, the bad guys must acquire either the physical component of the log-in, or must gain access to the cookies or tokens placed on the device by the authentication mechanism. This can happen in several ways, including a phishing attack, malware or credit-card-reader skimming. There is a another way, however: account recovery.

An RSA SecurID key fob. Via Wikimedia Commons

If you remember what happened to journalist Mat Honan, his accounts were compromised by leveraging the "account recovery" feature. Account recovery resets your current password and emails you a temporary one so that you can log in again.

"One of the biggest problems that's not adequately solved is recovery," said Duo Security's Oberheide.

Account recovery works as a tool for breaking two-factor authentication because it "bypasses" 2FA entirely, Fenton explained. "Just after [the Honan story was published], I created a Google account, created 2FA on it, then pretended to lose my data."

Fenton continued: "Account recovery took some extra time, but three days later I got an email helpfully explaining that 2FA had been disabled on my account." After that, he was able to log back in to the account without 2FA.

Account recovery is not a problem without a solution, though. Or, at least, solutions are being worked on.

"I see biometrics as an interesting way to solve the recovery problem," Oberheide said. "If I lost my phone, it would take forever to go through each account and recover them. If there's a very strong biometric recovery method, a passcode of my choosing, and a voice challenge or something like that, it becomes a very reasonable and usable recovery mechanism."

Basically, he's suggesting using one form of two-factor for logging in, and a second, different two-factor combo for recovery.

What's next for 2FA?

As two-factor authentication becomes more commonplace, it's more likely that attacks will be more successful against it. That's the nature of computer security. But by virtue of being more commonplace, it will become easier to use, too.

CNET

Oberheide said that many of his customers start off thinking that implementing 2FA will be expensive or hard to use, but often find that their experience with it is the opposite.

"I think that will come faster in the consumer space because they're not dealing with all this cruft from the legacy of 2FA from the '80s," he said. But he noted that older systems can have a hard time getting 2FA going. "A few months ago, we published the bypass of Google's two-factor scheme," he explained. "It's not a ding against two-factor in general, but against Google's complicated legacy system."

Fenton noted that increased adoption could create opportunities to refine the technology. "Should we be planning now on designing something that can scale to large numbers of sites? It seems that 2FA is really exploding right now," he said.

Despite its problems, Oberheide sounded an optimistic tone for two-factor authentication. "If we can increase the security and usability of 2FA at the same time, that's a holy grail that's often difficult to achieve," he said.

Update, June 15, 2015: Added additional two-factor service.