In Verizon’s Data Breach Investigations Report, they reported that 63% of confirmed data breaches involved leveraging weak, stolen or default passwords. This shouldn’t come as surprise given “123456”, “password” and my personal favourite, “letmein”, were amongst the most commonly used passwords of 2017.
Why are passwords not secure?
Passwords were never a reliable way of providing access protection, to begin with. The major flaw with passwords is that they require us to remember a combination of letters/numbers/characters, which is often difficult and unrealistic to keep track of, especially across various services. So, in an attempt to make life easier, we make the common mistake of simplifying passwords, reusing them across different services and using them for years. More often than not, this leads to what is known as a ‘domino effect’ where hackers would be able to take down multiple accounts by just cracking a single password. For hackers with enough time and resources, the process of cracking your password (depending on the length and complexity) can take as little as a couple of minutes. Other vulnerabilities include poorly encrypted passwords, social hacking, hacked databases and the list goes on.
What is 2FA?
Two-Factor Authentication (2FA) adds an extra layer of protection beyond the password. This notably decreases the risk of a hacker accessing your online accounts by combining something you know (a password) with a second factor, something you have such as a mobile phone. By adding this additional factor to your security flow, an account with a compromised password will still remain secure.
2FA via SMS has become the industry standard due to the majority of online users having their mobile phones handy. Let’s go through a high-level example of what that would look like.
- You are prompted for your username and password on an application
- After entering the correct combination, you are prompted to enter the security code (often called a one-time password) that was sent to your mobile device
- After the code is entered and verified, you are securely logged in
Where would I use 2FA?
The short answer – everywhere. The more layers of security your application has, the harder it becomes for hackers to gain unauthorised access. Here are a few examples of where 2FA is most likely to be used:
- The code issued by your bank when you try registering for an online account or while making changes to your personal details. You usually use the code with your username and password for Internet banking.
- A one-time password that you receive as an SMS on your mobile device when you try and login to your online tax account.
- A random password generated by an app like Google Authenticator that you can use to login to an online account.
The idea of 2FA is to provide you with extra security due to the second step of authentication. It means that, on top of a password, a website requires a second authentication method from the above for signing in. That being said, don’t expect it to magically safeguard your application from attacks. By no means will it keep the bad guys out forever, but it will make it harder for them to infiltrate your application.