How Does 2-Factor Authentication Add Security To Your Accounts

Two Factor Authentication concept
One of the simplest ways to add a significant layer of security to online accounts and digital credentials is called 2-factor authentication. This technology has been around for many years, but recent high-profile data leaks have pushed the adoption of 2-factor authentication mainstream.
At Southeastern Technical, we recommend enabling 2-factor authentication for all third-party accounts that support it. It’s one of the most sensible, easy to implement ways to keep your company’s accounts safe and secure.
To elaborate on why that is, we’ll explain what 2-factor authentication is and how it protects you in the sections below.

What Is 2-Factor Authentication?

Before we can answer this question, we need to talk about single-factor authentication. Single-factor authentication has been the standard for most websites for the last decade or two. It’s the classic username plus password scenario. Users create a username and select a password when creating an account, and then they provide those credentials each time they visit the site.

Single-factor authentication has plenty of problems, which we’ll get to in a later section. Because of these problems, many businesses have added another layer of security, or authentication, to their accounts. This second layer is what’s called 2-factor authentication.

While there are many methods for implementing 2-factor authentication, all will require some second layer of identity establishment after the username and password screen. Often this takes the form of a one-time numeric code texted to the user’s phone, but there are plenty of other methods as well. All types should use two different categories of information, including something you know (your credentials) and either something you are (your fingerprint or retina scan) or something you have (a unique code you’ve been given).

So, to sum up, when a site or company is using 2-factor authentication, users are required to provide two forms of authentication. They must produce both the correct username and password (the first factor) and some other proof of legitimate account ownership (the second factor) before they can gain access to their account.

Types of 2-Factor Authentication?

There are many ways to implement 2-factor authentication (2FA for short). The most common on consumer accounts (like Gmail) is the method mentioned above. With Gmail’s 2FA enabled, users first log in via email address and password. Next, Google sends a one-time numeric code via text message to the cellphone listed in the account. The user must have physical access to that phone to see the code, which the user then types into the Gmail prompt.

Some consumer websites provide the option to bypass the second layer of authentication on trusted devices, like your home computer. While the convenience is nice, we don’t recommend doing this as it circumvents the whole point of using 2FA. 

In the early days of 2FA, large corporations would issue authenticator keyfobs to employees. These would generate a random code every minute or so, and employees could not access critical systems without the rotating codes. This method is rarely seen today for one obvious reason: lose a keyfob, and the system is more or less compromised because the old fobs couldn’t be deactivated from a distance.

The other major forms of modern 2FA are based on this concept, though. Authenticator apps use a time-based one-time password in combination with QR codes, all built into a dedicated app on your smartphone. This system works even when your phone has no service, but the authentication is generally tied to one app on your phone. New-school security keys are another descendent from those rotating keyfobs. Today’s security keys keep the physical in-person security aspect but ditch the rotating passcodes in favor of a newer technology called Universal Second Factor, or U2F. This new technology interacts with a site behind the scenes, establishing your identity without needing to worry about passcodes yourself.

Apple devices and accounts (among others) use a push-based 2FA system that notifies users that someone (hopefully you) is trying to log in somewhere else. You’ll often see these prompts on your MacBook when updating iOS or iPadOS, for example. If it’s you, you can click “allow.” If it’s not you, you can click “deny” and lock out the would-be attacker.

The various methods of 2-factor authentication all have strengths and weaknesses. But the most important takeaway is that your business needs to implement 2FA in one form or another. It’s one of the most manageable steps you can take to improve security.

What Does 2-Factor Authentication Protect Against?

In short, 2-factor authentication protects against unauthorized access to your account or system. It is comparatively quite easy to get into an account that uses single-factor authentication. There are so many ways to steal usernames and passwords. These include social engineering, corporate espionage (which can be as simple as your competitor paying your janitor to take a picture of the password sticky note next to the CEO’s computer!), phishing attacks, and simply buying up lists of compromised credentials from bad actors.

Now, it’s bad if any employee’s credentials are compromised in any of the ways above (or more creative ways we didn’t mention). But if you’re using single-factor authentication, it’s more than just bad. When an attack comes, it could be anything from a major hassle to an existential threat.

When you use 2-factor authentication, hackers and bad actors must work much, much harder to breach your systems or accounts. They may well steal your credentials, but unless they can steal your phone or security key, those credentials won’t accomplish anything for them.

So, to sum up, 2FA can help protect against unauthorized access to accounts and systems throughout your organization. It’s not a bulletproof system, but it makes it much, much harder for people to penetrate your systems.

Why Is 2-Factor Authentication More Secure Than Single-Factor Authentication?

Single-factor authentication has been effective, but it has plenty of weaknesses. First, users are bad at remembering dozens, if not hundreds, of unique usernames and passwords, as well as which combinations belong to which sites. Humans in general just aren’t good at this. So, people tend to reuse their credentials or choose easy to remember, easy to guess passwords. Or — perish the thought — they keep a “passwords” notebook right next to their work computer!
The second problem is how easy it can be to obtain another person’s credentials illegitimately. Password notebooks can be rifled through. Simple passwords can be guessed or solved using simple brute-force hacking tools. And improperly managed corporate databases containing the usernames and passwords of customers can be compromised.

2-factor authentication doesn’t resolve the problems of single-factor authentication. Instead, it adds another layer of challenge or difficulty. The barrier to entry is much, much higher. To gain access to an account secured with 2FA, a bad actor must first steal a valid username and password combination. That’s the easy part. Next, they’d need to either physically steal the person’s phone or somehow manage to clone or intercept it. 

(Network TV makes “cloning a phone” look like child’s play, but reality is far more complicated.) If the account is secured with an Authenticator app or modern security key, the bad actor would need access to those elements instead.

For the bad guys, it all comes down to risk and ease of access. If an account is easy to infiltrate and the risks of getting caught are low, bad actors are going to act. But imagine how much more risk is involved in convincing someone to physically hand over their cell phone or security key. For starters, doing that requires showing up in person, which is far riskier than sending out phishing emails from a distance.

You want to make it as risky and as dangerous as possible for would-be attackers to gain access to your systems. Will enabling 2FA stop every instance of targeted corporate espionage? No. But doing so will protect you from most crimes of opportunity, and those are far more likely than targeted attacks.

How Much More Secure Is 2-Factor Authentication?

While it’s impossible to put this in concrete terms like a percentage, 2-factor authentication is far more secure than single-factor authentication. It’s much more challenging to break into an account in this way because it usually requires physically stealing a smartphone (and maybe its passcode) or a USB security key.

Needing this kind of personal access virtually eliminates crimes of opportunity, and it makes targeted action more difficult by several orders of magnitude.

Ready to Implement 2-Factor Authentication? We Can Help

2-factor authentication is a valuable security enhancement that’s surprisingly simple to implement for most organizations. If you’re ready to implement 2FA at your company or if you have questions about what implementation would look like, we’re here to help! Get in touch today to learn how 2FA can work for you.

Shane Lewis

Shane Lewis is founder/owner of Southeastern Technical. He is passionate about providing excellent IT service to small and medium organizations, and helping businesses develop and grow.

About Southeastern Technical

We help leaders discover how they can have stable, reliable information technology (IT), so their organizations can experience fewer IT problems and security threats.

Categories

Recent posts

solutions for real-world problems

We’ll send technology tips to help you resolve existing problems, information about underlying problems in your IT environment and how to solve them, and how to reduce digital security risk for your business.

Stay Connected

Facebook Twitter Linkedin