Two-Factor Authentication

Russell W. Gilmore, CISSP, CISM, EnCE Computer Forensics


What is two-factor authentication?

closed lockTwo-factor authentication is a second level of authentication for you the user to be able to access your account.

The first level of authentication is your user ID and password. What that means is that anybody with your user ID and password can log into your web-based accounts whether it’s your email account, Office 365, your bank accounts, or any account you have where you log on via the web. If you have your user ID and password, in most instances, that’s all you need. Two-factor authentication adds another step in the process that provides more security to your account whether it’s personal or business.

How does it work?

You go to your Gmail account or any web-based account, put in your user ID and password, and hit the enter key. Shortly after hitting the enter key, a message should pop up on your phone. Also on the screen when you’re attempting to log into your account, you’ll get a pop-up. Usually in most cases it’s a pop-up with six little squares. On your phone you get a message to enter six numbers into that pop-up and that gives you access to your account. That’s why we call it two-factor authentication. It’s that two-step process that makes your account even more secure.

Why is that important?

I have seen cases where people did not have two-factor authentication enabled. They receive a phishing email, and that phishing email requests their user ID and password for a particular online account. That can be Office 365, a bank account, or Google – any web-based account with a user ID and password. Once the recipient of the email replies with their user ID and password or clicks a link and enters that user ID and password, it goes to an unauthorized individual who got that information through a deceptive email. The unauthorized individual can take that user ID and password, go to your account login page, enter that information, and get access to your account. You will not be aware of that.

Prevention

The only way to prevent that or the simplest way to prevent that is to enable two-factor authentication. Under that same scenario, if that had happened, when the person without authorization attempted to log into your account, something would have popped up on your phone that would have said “here’s the two-factor authentication code to get into your account” and you would be aware that you’re not trying to log into that account and know that something was taking place.

I have seen business accounts get compromised because they’re not using two-factor authentication to protect their users’ accounts. In some cases it it’s an embarrassment. In other cases it has cost hundreds of thousands of dollars. Two-factor authentication is not a difficult process to set up for most accounts. My recommendation is to look at your Gmail accounts, look at your Office 365 accounts, and your banking or financial accounts to see if those sites offer two-factor authentication. Set that up as soon as you can. That’s just another layer of security, safety, and comfort that your data is protected.

Read more about two-factor authentication here.