The do’s and don’ts of 2-factor authentication

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

As more and more organizations have their systems compromised, a security method known as “two factor authentication” has become more prevalent. 2FA, as geeks like to call it, provides an added measure of security, but is not perfect. What exactly is 2FA, and how can folks best take advantage of it?

The concept of 2FA was popularized in the ’90s and became practical early in the 2000s. 2FA is based on the concept that a user must have two “factors” to access any system, usually (1) something you know and (2) something you have.

The “something you know” is your user name and password. The “something you have” was initially challenging from a technical perspective. It was difficult for users to have something and keep it secret. This was solved by the use of “randomizing key fobs.” The method by which these key fobs worked is too long to be discussed here, but the drawbacks were twofold.

First, it was an extra “thing” to carry around, even though it was small enough to attach to a key chain. Second, while the key fob itself was relatively cheap, the systems behind them were expensive, often difficult to maintain, resulting in a questionable cost/benefit ratio. Only the most secretive of large organizations utilized the technology.

2FA looked like it was headed for an early demise until the advent of the smartphone. The smartphone obviated the need to carry around a second “thing” since everyone takes their phone everywhere. It also facilitated, via simple text, the “something you have” part of the equation.

The way it works now, as many have experienced, is that after successful entry of your user name and password or “something you know,” a second code is texted to your smartphone thus confirming “something you have.” You must then enter then code. This process takes a few seconds longer and requires an extra step, so some think it is somewhat of a pain in the okole. When contrasted with the risk of a compromised login, however, the extra step is well worth it.

Don't miss out on what's happening!

Stay in touch with breaking news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

With the maturation of the technology behind 2FA, along with the increasing need for system security, 2FA has become much more prevalent. Nowadays most every website involving anything even halfway secure, such as financial, email, health care and even real estate, employs 2FA.

This worked great until the bad guys caught up. In recent months, hacking of traditional texting technology, known as SMS, has made some websites employing 2FA susceptible to compromise.

So what to do? Instead of relying upon SMS-based 2FA, check to see whether your provider uses alternate 2FA technologies. Anecdotally, the most popular seems to be Google Authenticator, although others, such as Authy, Yubico and Duo are also reliable. These alternatives encrypt their communications much better than standard SMS to minimize the chances of being hacked. All require installation of an app onto your smartphone, and all support iPhone and Android.

If possible, you definitely should employ an alternate 2FA method. Even if an alternate method is not available, text-based 2FA is still better than nothing. The old days of a simple login and password are over.

John Agsalud is an IT expert with more than 25 years of information technology experience. Reach him at jagsalud@live.com.