What is a Two-Factor-Authentication and why is it so important?

When the first impact of Covid-19 hit us, we moved our worksite to the home offices as fast as possible to ensure that all employees are well protected. At this time (as if we knew it), we have just finished our project of moving all our company related data to the cloud (in our case the Google Cloud). Since all the important documents were stored online from that time on, we have decided to introduce the Two-Factor-Authentication to make sure that all data is well protected. Because all colleagues are equipped with a notebook and have access to all the work-related data, moving to the home offices wasn’t a big deal for us at this point.

What is a Two-Factor-Authentication?

Two-Factor-Authentication adds an additional layer of security to the authentication process (in most of cases just a single password). For example, this could be a SMS, a digital security key (like the YubiKey) or a push notification from an app on your mobile phone which has to be confirmed.

Why is the Two-Factor-Authentication so important?

As we all know protecting systems only by a password is not the securest way nowadays. Often users assign passwords which are too short, easy to be guessed or they have used multiple times before. This means if a password has been cracked (which sometimes only take a couple of seconds) or gets leaked, the attacker has full access to all information and data. In this case no anti-virus system or firewall will stop the attacker. Not only the user can be harmed, but also other people with whom the user is in a relationship. The attacker could try to leak or crack other passwords by sending mails on behalf of the victim, the whole network infrastructure could get exploited to spread malware for example or confidential documents could get stolen. The list of evil deeds is quite endless. Like I already mentioned before, with the multiple factor authentication you add an extra layer of security to protect yourself and others from all the worst-case scenarios mentioned above.

Some examples of how to use the Two-Factor-Authentication:

As mentioned above, there a different ways to use the Two-Factor-Authentication. In this last part of my article I will give you some examples of methods which are common in use today.

SMS:

In this case you just have to store (and validate) a phone number the services account. After you did this, a SMS will be send to you after your first level authentication (commonly a password) was validated. This SMS mostly contains a short numeric code, which you have to enter on the services login page. Some services also offer the opportunity to contact you via voice call. In this case a computer will read the numeric code. In most of the cases this service is free and no extra costs will be charged.

Pay attention: If you use your smartphone or any other device which uses some kind of on-screen notification, make sure to set the SMS text invisible in advance. The same applies for phone calls — make sure you have to unlock the device first.

Digital security keys:

Digital security keys work a bit different but are also used verry common and versatile. A device, which often is used is called YubiKey. There are a lot of different types on the marked. Some devices can only be used via USB, some of them have a NFC (near field communication) interface integrated and others a fingerprint sensor. These keys can not only be used with computers but also with mobile phones or tablets for example. Some of the digital security keys need an extra software or app to work (always depends on how and for what you like to use them) but some of them also work without any installation and are integrated in the big players services and software (Google, Microsoft, etc.) already. After your first level authentication, the service or software is looking for your YubiKey on your device. When the device was found, you will get logged in. In some cases the YubiKey asks for a registered fingerprint or NFC chip card which could be a third factor of an authentication for example.

Apps:

Another way to use the Two-Factor-Authentication could be an app (from Google or Microsoft for example) which is running on your smartphone or tablet. After you’ve installed and paired the app with the service or software, you will get a short notification, which has to be confirmed after your first level authentication.

These are just some examples of how the Two-Factor-Authentication works but there are plenty of other “tools” on the market. Feel free to share your personal experience with the methods I mentioned above or let us know which way of adding a second layer of security to your services you have chosen.