2FA

What is it and should I bother?

Niram.org estimates this blog will take 6 minutes to read. Posted June 22nd, 2022

Disclaimer! - since the time of writing this blog (22/06/2022) some of the websites mentioned in this blog may have implemented two-factor authentication.
2FA stands for Two Factor Authentication. With ongoing efforts to help strengthen the security of users when access different online accounts across various websites and applications on the internet, there is every chance you have encountered this term. Two-factor authentication is an additional step within the login process, that provides an extra layer of protection.

What analogy would you use to describe 2FA to someone not tech-savvy?
Two factor authentication is the process of having two pieces of information (factors) that can verify who you are. By having two pieces of information that are seperate that can verify your identity, this makes it more challenging for someone to access websites/services pretending to be you. The more difficult it is for a hacker to obtain your login details, the more secure you will be online.
Imagine if someone could pretend to be you just by looking like you and saying they are you (i.e someone knows your username and password)?
What if you had a physical feature, piece of information or knowledge (e.g ID, fingerprint, classified information etc) that can act as an additional means of validating your identity. The rarer and more secure this additional means of verifying your identity is (i.e the more unique or the harder it is to obtain), the lower the odds of someone trying to successfully break into your account.

Why should anyone use Two-Factor Authentication?

Everybody should be concerned at the amount of people who have they login credentials hacked. In todays digital world, an extra layer of security can only be advantageous.Usernames and Passwords are not the strongest defence for your personal data online. Why is this? There are a multitude of factors, which all centre around one core idea - we are human!
As humans we make mistakes, and mistakes are cruelly punished by hackers who use a variety of tools to aid them. These tools, like Bruteforce easily capitalise on some of the errors that we can make. Some of you may say "But my passwords are strong?! - I make sure to have so many special characters that I am asked to do when creating a password for an account somewhere".
While this is true, humans tend to commit the following cardinal sins;

  • Reusing Passwords
  • Having passwords related to personal information
  • Having short passwords
  • Using words in the dictionary
  • Storing passwords in a non secure place
  • Updating a password by incrementing a number at the end of it
  • Password sharing

    • Social engineering could become an issue here if people can begin to make educated guesses about what your passwords are based on information that can be obtained about you through your online activity.
    In an ideal world, none of the password faux pas above would happen! However, Two-Factor authentication does provide a second means of user validation, which is more secure than the above.
    Guilty of any of the following? You may want to check out the website to check if your email or phone has been involved in a data breach (better to be safe than sorry).

    How does it work?

    Two-factor authentication comes in a variety of forms.
    One form is via an authenticator app on your phone (e.g. Google Authenticator, 2FA Authenticator, Microsoft Authenticator etc.) which generate a numeric code every 30 seconds. The user is prompted for the numeric code during the login process and only if the codes match will the user be granted access. (Not all websites support this unfortunately). Websites that do support the use of an authenticator app will set this up by asking the user to scan a QR code (generated by the web service you are creating an account with).
    Another form is through SMS, where the user is sent a text message with a numeric code. However with Apple devices, a text message could potentially be seen by any apple device which is logged on with the same apple ID (e.g. a Macbook can see the text message an iphone recieves if they are using the same Apple ID) - so this is something to be wary off.
    Two factor authentication isn't just restricted to numeric codes, biometrics can also be utilised to verify your identity. This includes your fingerprint of face ID, which are incredibly more difficult to spoof than a numeric code (but not impossible sadly) - however many people do not wish to use this type of information due to privacy concerns. This is due to (understandable) fears that biometric information may be bought and sold, and how corportations and goverments will use that data (can they trust people to be responsible with it?).

    Where can you use Two-Factor Authentication?

    Not everywhere unfortunately, but a large number of popular online websites/service utilise this feature. These include; Twitch, Youtube, Amazon, eBay,Airbnb, Google Pay, PayPal, Western Union, Facebook, TikTok, Twitter, Snapchat, WhatsApp, Discord (and Abertay University ofcourse!). Many more apps use Two-Factor Authentication and you can check this by using the following website 2fa directory. By having two pieces of information that are seperate, this makes it more challenging for someone to access websites/services pretending to be you. The more difficult it is for a hacker to obtain your login details, the more secure you will be online. For decades, a strong enough password and username has been utilised to prove your identity, but with rising attack 2fa may not be a silver bullet, but sadly you will never be completely safe on the internet. capacity.

    I cannot say for certain why the some of the well established companies I am going to name do not use 2FA. It is interesting to note that the vast majority of airlines do not support 2FA (you can check here if you don't trust me!). While this looks not secure on the surface, airports act as a real life Two-Factor Authenticator, as they will check your passport to ensure your face matches the picture on the passport and that the name matches the name on the ticket.
    As for other well established apps that don't enable Two-Factor Authentication (e.g. Dell, John Lewis, Lenovo, Rakuten, Netflix, Virgin Media, EE, Disney+, Spotify, Ticketmaster - any many more) again, check here to see for yourself! Can it be assumed they do not value their user's privacy as much as rival companies that use 2fa? It's difficult to see why and sadly either a mass data breach or legislation seem like the likely avenues to persuade the above companies (and others who don't use 2fa) to enable 2fa for their users.

    If you take anything away from this, it can be frustrating having to take out your phone to log on to your authenticator app of choice to find the 6 digit code and enter it before it refreshes to access a website or application online. However, the more effort you make to login to something, means that any potential hackers have to also make the same amount of effort. When this enables you to be more secure when accessing something online you do not want others to access, the inconvenience of using two-factor authentication is more than worth it.


    Links to website used in this article
    The 2FA Directory
    have i been pwned?