Two-Factor Authentication is the most popular security measure nowadays. Basically, an authentication is the process by which users confirm that they are who they claim to be. The same process is valid to computers or applications too. It is necessary to ensure that a person who requesting access to computer resources is a person authorized to use them. Remember, authorization and authentication are not the same! They are just related, but essentially different concepts.
Single-Factor Authentication is not enough
Single-Factor authentication (also known as SFA) is an authentication process by which a users confirm their identity through only one category of credential (that kind of authentication is used in a WordPress). The most used method is a password-based authentication. Users enter a username and then they provide a password by which they confirm that they are the user which they claim to be. The rule of this kind of authentications was really simple: the password had to be more than 6 characters long, made of letters and numbers. Thus, it is not surprising that shortly this method has become incapable. After all, it is not difficult to steal or crack passwords, not to mention the fact that some users forget or lost their passwords.
The solution is Two-Factor Authentication
When Single-Factor Authentication was not enough, more and more sites have started to use two-factor authentication to ensure security.
Two-Factor authentication (also known as 2FA) is a process that requires two different sets of credentials to confirm your authentication before the logging into a site. These sets may include:
- Some physical object in the possession of the user (for the example, a USB, a bank card, a key, a mobile phone number, etc.) In other words, it is something unique you have.
- Something that is known only to the user (for the example, a unique username, a password, PIN, etc.) In short, it is something you know.
- Some physical characteristic of the user (for the example, biometric, a fingerprint, a retina scan, etc.) It is something of your own.
How does the Two-Factor Authentication work?
- As it has already been mentioned, there is a combination of two different components in a two-factor authentication process. Each of them is used in various scenarios.
Let’s take SMS passcodes. It’s a unique passcode generated by two-factor authentication app and sent via SMS service to your phone so that you can enter it in the authentication process.
- The second example is phone callbacks. This method calls your phone and waits for you to pick up and press any key to authenticate.
- The third example is hardware tokens. You can press a button on a small device that is programmed to generate a new passcode. That code you can type into your two-factor prompt.
Push notifications. You need a particular app (two-factor authentication mobile app) that you can receive push notifications on your smartphone for every authentication request.
There are many examples of websites that are using this authentication method. And here are some of the best known:
- Google. When you sign in to your account from a new IP address, the first you need to is entering your password. The next step is that Google will send you an SMS with a 6 digit code. Only when you enter this code too, you can reach your account.
- Facebook. If you want to log in from a new or unrecognized computer, you will be asked to enter a code that will be sent to your mobile phone via text message.
- Twitter. When you will try to sign in to twitter.com, you will be asked to register a verified phone number and a confirmed email address.
Why is Two-Factor authentication better?
The most important thing why there is two-factor authentication better than single-factor authentication is security. By choosing two different channels of authentication, you can protect user’s logins from remote attacks that attempt to take over your accounts (phishing, credential exploitation and etc.) Imagine, that someone tries to steal your account. The first thing they do is stealing your password. But they do not have an access to your phone. So, they cannot get into your account.
Password guessing attacks occur constantly. And there is a big chance that a hacker one day will break into your account and steal your info, upload malware or perform other malicious acts. However, two-factor authentication makes damage your website harder. And most hackers are going to give up after a time when they cannot break in right away. So, two-factor authentication is currently the only viable method of safeguarding network administrators and users from online identity theft.