Two-Factor Authentication and How It'll Stop Some Jackass Stealing Your Crap

By Chris Mills on at

Microsoft enabled two-factor authentication this morning. That's awesome, because two-factor authentication is a simple, cheap method of making yourself virtually hack-proof on the internet. And not enough people use it.


What is Two-Factor Authentication? 

Two-factor authentication is the combination of multiple authentication 'factors' to create a secure verification system. A 'factor' of authentication is, put simply, a 'thing' that you have to present to the system trying to verify your identity. This 'thing' can be a piece of knowledge (like a password, PIN or whatever), or a physical 'token', like a smart card or your phone.

In fact, you probably use a bunch of two-factor systems every day. An cash machine is a two-factor system -- "something you know" (your PIN) and "something you have" (the bank card). Most online shopping now requires two-factor authentication -- you have to enter your card details (the physical token), and then often enter a password as well (the knowledge token).


Why is it Better?

Because it's two completely separate systems of authentication, requiring two completely separate methods to get hacked. It's much better than having, say, two different passwords, because if a hacker can get one password, chance are they can get the other. Think of it like a castle -- one wall is good, two walls are marginally better, but a wall, a moat, and a job-lot of Alsatians with a taste for flesh is best.


How Does It Work Online?

Most online services nowadays give the option of using two-factor authentication -- Google, Facebook, Apple, Steam, Dropbox, Microsoft, and just about every password manager in existence, to name but a few. Now, rather than give you a physical token like your bank does, these services try and use existing physical things you've got.

Generally, that's your mobile phone. What happens is: you enter your normal password online (that's the first factor, obviously), and then you have to enter a code from your phone -- either in the form of a code generated by an app (like Google Authenticator), or a simple text sent to the phone. That forms the second, physical factor, because only someone with your phone and your password can log in now.

There are other ways, generally involving some kind of flash drive. Google lets you turn a flashdrive into a secure key that'll provide the second factor, or there's YubiKey, which does the same thing with a dedicated piece of hardware.

Obviously, all these systems take a little bit more time than mashing in a password and hitting enter, but it's probably worth it, for your most important services at least. While it might not matter too much if someone has access to your Runescape account (Oh no! All my gold!), you can actually buy stuff with Google Wallet or PayPal. Equally, control of your Apple account lets you remotely wipe computers, as one of the ex-Giz staffers once found out.


Are There Flaws?

Yep. Late last year, researchers uncovered a sophisticated attack in Europe that infected both PCs and phones, allowing hackers to intercept the verifification code texted to people, use it to log into online banking services, and run amok with £30 million of other people's money, which kinda sucks.

That doesn't mean that two-factor authentication blows -- it doesn't. Rather, it just means that enabling two-factor authentication doesn't mean you can slack off the rest of your security. The Eurograbber attack (as it was known) could largely be avoided by using a firewall and some anti-virus software, which you should really be doing anyway (anti-malware is free these days y'know).


Great! So How Do I Enable It?

So, you're willing to lock down your accounts properly. Good on ya. Obviously, the process differs service-to-service:

- Google: The two-factor system with Google can be set up by going here. Generally, it involves entering a code from your phone, or backup codes you can print and keep in your wallet (less safe, obviously). You can also set backup phone numbers, in case you drop your phone down the toilet.

- Apple: Log into your Apple ID, go to Passwords and Security, and hit two-step verification. You'll have to set it up with your phone number, and they'll send you a code to get things going.

- Microsoft: You can set up Microsoft's new two-factor authentication here. Same as Google, there's an app, or the system will send codes to your phone via SMS. Two-factor security is now company-wide, working for everything from Xbox to Outlook emails.

- Facebook: Log into your Facebook account (you don't really need the URL, do you?). Go to Account settings (click the little gear in the top right corner), click Security on the left-hand menu, and then go to Login Approvals.

There's a few other systems that offer two-factor authentication -- Dropbox uses a phone code, and Steam emails you a code by default -- but those are probably your most commonly-used and important services. The only exception is online banking -- most good banks now issue some kind of physical token you need to be able to login to online banking, and also to authroise transactions. If yours isn't one of them, you might wanna think about moving.

Image credit: Hacking from Shutterstock