UNFORTUNATELY, these days, even a secure password may not be enough to stop nefarious individuals. Whether the predator is a trojan that gets into your computer through malware and steals a password or somebody who is after a Twitter account (people can do anything from guessing your password or engineering a password reset), it is important to try and add layers of security to simple password usage. Multi-factor authentication (usually called 2FA, two-factor authentication) helps to mitigate those attacks.
Multi-factor authentication is based on someone having multiple ways to identify themselves when accessing a system. The types of authentication depend on three factors: knowledge, possession, and inherence.
Knowledge factors are things that only the user knows (a password); possession is something only the user has (an ATM card or key); and inherence refers to only what the user is (a fingerprint or retinal scan). Any combination of two (or three) of these when accessing a system make it very difficult for someone to fake or hack. And, if the factors have a time-sensitive aspect, the security of your information increases dramatically.
One of the most common examples of two-factor authentication that you have probably experienced would be using an ATM. You are not able to use an ATM without your card. But, at the same time, possession of the card is worthless without knowledge of your PIN. The combination of those two things allows access to your banking information.
The security measures present are very good in this example, simply because it would be very hard for someone to get both pieces of authentication. If your wallet is stolen, that does not give the thief your PIN. And, someone watching over your shoulder for your PIN will not easily get your card. You probably will find yourself in shock when you realize that you log in to your banking website with just a username and password.
There are a few ways to accomplish the two-factor authentication, and it can dramatically increase the protection of accounts where it is enabled. Now, it is important that you use legitimate two-factor authentication. If you are simply entering a password while also answering a security question, you are not using two different types of authentication. You would simply be using two forms of knowledge factor. You still can be the victim of hacking or a little social engineering, and accounts can be compromised.
In recent years, the prevalence of smartphones and texting have provided avenues of easy two-factor authentication. And, the systems in place can provide a good bit of security. Examples can be the use of SMS to send a one-time use code or an app (Google Authenticator, for instance) that provides a single-user code. When logging in to a website with a username and password, the website sends a text message or requests the appropriate Google Authenticator number based on internal security measures. The user would enter this code in addition to the username and password. Only then would you be granted access to the system. This provides knowledge and possession factors. If someone knew your username and password, they still would be hard pressed to get the one-time use code.
So, what’s the moral of the story? Where a website or system allows for two-factor authentication, enable it immediately.
article by DONNA GRINDLE, CHPSE
ABOUT THE AUTHOR: Donna Grindle, CHPSE, has been writing medical practice software as a programmer since 1987. She currently is the owner and president of Karden Technology, which specializes in IT- and HIPAA-compliance services, working with small healthcare providers and businesses that support them.