An interesting article by John Shier at NakedSecurity:
This October is National Cyber Security Awareness Month (NCSAM).
So I thought I would write my inaugural Naked Security article on a topic near and dear to my heart: two-factor authentication.
What is two-factor authentication?
It is an authentication process where two of three recognized factors are used to identify a user:
- Something you know – usually a password, passcode, passphrase or PIN.
- Something you have – a cryptographic smartcard or token, a chip enabled bank card or an RSA SecurID-style token with rotating digits
- Something you are – fingerprints, iris patterns, voice prints, or similar
Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website.
So if someone manages to get hold of your password (something you know), they still will not be able to access your account unless they can provide one of the other two factors (something you have or something you are).
For example, at Sophos we use secure tokens with rotating six-digit codes to remotely access internal systems. Every time I want to establish a VPN session, I need to provide my username, a password and the six digit code appended to a PIN.
At home I use similar methods to access many online and personal resources. In the last year, many social media sites, including Facebook, Twitter and LinkedIn, have all added some sort of two-factor authentication.
Many of these sites employ SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).
The availability of mobile network service and the unreliable nature of SMS can make this difficult, however.
Some services allow you to use an authenticator app in addition to your password which present you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.
Read the rest here.