Skill Level Appropriate for all
- [Instructor] In this episode, I want to talk about two-factor, or multi-factor, authentication. Two-factor authentication has become widely used lately as companies and organizations want to help their users make their online accounts more secure. When you log into a site or app with two-factor authentication, instead of just using a password, this site requires a password and a code, which comes from a dedicated device. This method of using a separate piece of information in addition to your password is called two-factor because it involves two factors. But what is a factor? In the security world, authentication information, or information you'll use to tell a system it's you comes generally from three different sources.
These kinds of information, or factors, are things you know, or knowledge factors, things you are, or inherent factors, and things you have, or possession factors. Things you know are pieces of information you've memorized. Your password is this kind of factor. Even though you also have a username, which is something that you know, your username and password are both the same kind of information, something you know. So they're just one factor. Something you are is something about yourself. Usually this is biometric information, like a fingerprint, your face pattern, or if you're a spy in a blockbuster action movie, a retina scan.
Usually these things are thought of as unchangeable, again, unless you're a spy in an action movie. And things you have are items like a code generator. You don't know the code it'll generate, and you're only presented with it when you push a button. You can think of this factor like a door key or a work I.D. badge. It's something that can be taken away, unlike a memorized password. These codes are generated by a mathematical algorithm tied to that device that the system you're logging into can predict to check whether it's correct. Commonly, this kind of factor comes as a little key chain device.
So when we talk about two-factor authentication, we're referring to two different types of factors. In the case of a password and a code, a factor we know and a factor we have. So, to use a spy analogy, imagine you're meeting someone to share secret information. They see you and ask for the secret phrase. You say something like, "The eagle flies at midnight." That's the password. And then they say, "All right. "What's the code of the day?" This you look up in a notebook given to you by your spy agency. You flip to the page for today, and you say, "Today's code is pancakes with butter." Unlike the password which stays the same, the daily code only works on one day, and then you have to use a different code on a different day.
After you've shared both of these pieces of information, you can exchange your information securely. With digital authentication systems, this code is generated every 60 seconds or so, and it's valid only for that period of time. We use two-factor authentication to help guard against someone else learning your password. In a single-factor system, if they have your username and password, they can use your account. But if an account requires two-factor authentication, someone who knows your password would also need your second factor, your code from your device. This increases security in a world where passwords are leaked all the time.
When you log into a system that uses two-factor authentication, sometimes you log in first with your username and password, and then a separate box, or second screen, asks for the code. And sometimes you log in with your username and a combination of your password and the code in the same box. Depending on the system you're using, whoever runs it will choose one of these methods or the other. When you set up an account with two-factor authentication, for a bank, for an employer, or something like that, you'll be asked to enter a credential I.D., which is a number that lets the system know which second-factor device you have.
On these key chain devices, it's usually on the back. And sometimes you'll be asked to provide a code, or two successive codes from the device, to verify it. Once the device is verified, you'll only need to use one code from the device at a time. These codes, as I mentioned earlier, expire after a period of time, so you can't store them in a password manager or something like that. You need to keep the device with you, or keep it in a safe place, so you can use it when you need to log in. Using devices to generate a code is pretty secure. There's another kind of authentication that's similar to two-factor authentication, called two-step authentication.
In this case, you're asked for two pieces of information: a password, and a code that comes from a device like a mobile phone, through an app, or a text message. This second piece of information isn't technically a second factor, because it comes from a source that could, theoretically, be intercepted or copied. So it's considered a knowledge factor rather than a possession factor. While a hardware token is extremely difficult, if not impossible, to copy, a code that comes from an app on your phone or is sent to you, theoretically can be copied. In practice, these two systems work in much the same way, but you may see the different terms, and so it's important to know that they're different even though some organizations use the terms interchangeably.
I mentioned that two-step authentication is a little be less secure. It's still fine for most things, but occasionally dishonest people will try to game the system, especially when a text message is involved. If you get an unexpected text message with a code, it's usually best to ignore it and go change your password on whatever service sent it. And if someone texts you asking for a code because they say they used to have your number or mistyped their number or something, don't reply to them, and go change your password. It might be true, but it's probably not. This usually indicates that someone has your password and is trying to log in to your account.
Protecting access to your accounts is more important than being polite in this situation. Using two-factor and two-step authentication can be a little bit annoying because it's another step in the login process, and in the case of a hardware token, another thing to lose. But the trade-off in security is worth it.