Two-factor authentication: What is it - and why do I need it?

Over the past two years, many online services have started to offer ‘two-factor authentication’ - an extra security measure which often requires a code from an app, or an SMS message, as well as a password.

For PC users already tired of having to remember dozens of passwords, this might seem like the last thing they need - but it can spell the difference between falling victim to online criminals and staying safe.

Twitter, Google, LinkedIn and Dropbox, as well as many others now offer the service, as an optional ‘extra’ security add-on.

Twitter and LinkedIn both added the system after high-profile hacks - and other sites such as Evernote have added systems over the past year, as reported by We Live Security here.

Systems vary but usually involve either an automated SMS message or an app which generates codes. After you enter your password, you’ll be asked for the code - or in some systems, you’ll use an app (separate from your browser) to enter the code.

An ESET video explains what two-factor is, and why it works, here.

Two-factor systems are far more secure than passwords - many high-profile hacks, such as those against the Twitter accounts of media organizations last year, could not have happpened if a 2FA system had been in place. Even if a hacker places malware on a PC and steals a password, they are still locked out.

But it’s important to remember that there is no ‘magic bullet’ - two-factor systems are better than passwords, and simpler than biometrics, but hackers can and do find ways round them.

What the systems ensure is that hackers have to work much harder - for instance, a recent attack against World of Warcraft involved criminals building a fake replica of the popular add-on site Curse, where every download was laced with malware, as reported by We Live Security here.  In other words, the ‘job’ is much more difficult for criminals - and that is good news.

ESET Senior Research Fellow David Harley says, “The sad fact is, static passwords are a superficially cheap but conceptually unsatisfactory solution to a very difficult problem, especially if they aren’t protected by supplementary techniques. One-time passwords and tokens are much more secure, especially when implemented in hardware as a two-factor authentication measure.”

How do I turn it on? 

Many sites - including Twitter, Gmail and Dropbox - offer two-factor systems already, free, although you have to enable them yourself - it's usually found under Settings or Privacy, and most sites walk you through the process. It's worth doing so if you keep any private information in such accounts - and particularly if you store sensitive business information.  Two-factor authentication makes it far more difficult - although not impossible - for cybercriminals to break into accounts on sites such as Twitter and Dropbox. At present, though, the system is “opt-in” - you have to go to settings, and add your authentication method manually.

Do I need it on every site?

Short answer - no. Ideally you would use 2FA for your most valuable accounts, the ones that can’t afford to be compromised under any circumstances. Most computer users have logins for dozens or even hundreds of sites - and much in the same way that a ‘throwaway’ email address is useful for creating an account on a site you’ll only use once, two-factor isn’t worth setting up on sites you’ll visit once, then never again.

Is it bulletproof?

No - but it is a decent extra layer of protection that makes you a smaller target for cybercriminals. Some malware - such as Hesperbot - is built to ‘leapfrog’ such systems, by fooling users into downloading a fake app instead of the real one, but in most scenarios, two-factor systems offer a valuable extra layer of protection for consumers or business.

Can an “average Joe” web user truly benefit from it?

Yes. On Dropbox particularly, many families store huge amounts of valuable information - and don’t use the optional two-factor security. It’s there - use it. If you’re using Facebook, Twitter and LinkedIn for your job, it’s worth considering also - if you’re hacked, your reputation could be damaged.

Could it help my small business?

Short answer - yes. A recent report found that two-thirds of companies who allowed ‘working from home’ failed to provide secure access to company networks, putting private corporate information at risk. Two-factor systems can help small businesses by allowing home working - and cutting overheads such as office space.