2FA (Dual Factor Authentication) – Do you need it?

You may have heard of 2FA, especially in the news recently due to all the recently exposed data breaches, but you probably think that you may not need to worry about something like password security. After all, you’re not in the CIA or FBI. You may not even have online banking setup, so why do you have to worry?

With businesses moving to provide more services online over paper and phone agents, your email account is becoming a pivotal and perhaps the most important battle front for hackers to compromise. Using tactics like social engineering for their nefarious purposes, these bad actors are doing everything in their power to get access to your email and bank/credit card accounts. Once compromised, your headache of repairing their damage can be a long and windy road.

How does 2FA come into play?

In the information security world, there are 3 primary ways to authenticate a person:

  • Something you know
  • Something you are
  • Something you have

The first method, which was and still is the most widely accepted method is passwords, which fall into the category of “something you know.” The issue with this as a sole authentication method, is that it can be obtained, in some cases quite easily through social engineering attacks or just plain guessing of weak passwords.

By adding another layer of authentication, such as, let’s say bio-metrics (which is something you are), you almost eliminate the ability for a hacker to authenticate as someone else. However, bio-metrics is great for large commercial setups that can afford to install bio-metric readers at their workstations, but not so much for the average home user. In fact, it wasn’t until recently when Apple demonstrated how easy it is to use something like face recognition to unlock their phones, that any bio-metric solution was left to purely commercial use.

Enter security tokens. A security token is a device (either physical or software based) that acts as a “something you have” security device. These tokens can sometimes be as simple in appearance as a small USB flash drive, while others have a LCD display with numbers that change periodically. There are also several software based security tokens like Google Authenticator and Symantec’s VIP apps that allow you to use your mobile device as a security token.

Should I use 2FA?

The short answer is yes. You should at a minimum use it for your primary personal email account and any financial online accounts. Most financial institutions use a form of 2FA already, though these forms aren’t necessarily full proof, but they are better than a password alone.

What 2FA should I use and where do I get one?

The simplest one to get is either Google Authenticator or Symantec VIP as apps on your mobile device. If you use GMail, you’re in luck. Enabling and using Google Authenticator with GMail is very turn key. Next, you could head over to Amazon and order an UBI-Key. There are many types of UBI-Keys ranging in price due to their feature set, however for basic 2FA, most will do. If you would like some future-proofing, consider buying the more expensive UBI-Key as it includes features like NFC (Near Field Communication) for wireless 2FA.

Is 2FA full-proof?

No. 2FA is not full-proof. In fact, nothing is ever really full-proof. Hackers will and have changed their approach in compromising accounts, however, 2FA makes the account extremely less likely to be compromised due to the amount of work involved. Unfortunately, hackers have also stepped up their game in regards to social engineering. Users should educate themselves on these tactics and should not be afraid to question emails or phone calls that could be from a hacker. For example, hackers have been robo-calling people and pretending to be their bank or credit card company and want to ‘verify’ some details. They will either claim that something is wrong with your account or perhaps you’ve earned some kind of gift or rewards that they need to be able to send you, but only after confirming some details.

For more information on scams like this or to learn about social engineering scams, check out our Information Security Awareness Tutorial.