by Zoe Landon
Let’s say you have a cat. We’ll call that cat Mortimer, because that’s a nice name for a cat and it’s easy to remember. So his name became part of all your passwords—grayM0rty, Mort$porT, and so on. Maybe not the most secure approach, but hey, you remember them. And even if you talk about your cat a lot (because, well, he’s an awesome cat), you don’t say his name anywhere online. Gotta keep that info safe!
Eventually, though, you slip up. We all do. And Morty’s name is just the kind of information that makes passwords guessable. But it worked for a while! Because it was something only you knew. But knowledge can be guessed or inferred, or it can slip out without a thought. Perhaps it’s not enough to keep everything behind something you know. Perhaps another layer would keep you from having to do something drastic, like renaming Mortimer.
Two-factor authentication has been around for a pretty good time. RSA’s SecurId—a little thing that governments and big companies use to spit out a couple numbers for increased security—has been around since 1987. But there’s an even earlier example of two-factor authentication in the form of a machine created by John Shepherd-Barron in 1967. He called it a Bankomat, but in the States we tend to call it an ATM.
An ATM is two-factor authentication in a nutshell. You can’t drain your bank account just because you have your debit card with you, and you can’t even get started if all you have is your PIN. ATMs work on knowledge factors and possession factors: in other words, what you know (your PIN) and what you have (your card).
Two-factor logins are a bit fancier. First, what you know is your password, and we can all hope that your password is longer than four numbers. Or four… anything. (Four words might be okay, it might not be. That’s the subject of a different article.) Second, what you have is pretty elaborate. When you swipe your debit card, or any credit card, all you’re doing is transferring the magnetically-coded number that’s on the card into the system that the card reader is attached to. Magnets are stubborn, so that number’s not going to change. But with a two-factor login, it can change. It can change all it wants.
In the end, every possession factor—the thing you have—is just a way of generating a password that nobody could either guess or intercept. The details depend on how it works. But that means that you couldn’t guess them either, so they can’t be something you just know. In order for anyone to use that generated password—including you—they have to have the hardware. If it’s dedicated hardware, it’s a hardware token, but there are other devices that can function as a hardware token.
In fact, you probably have a hardware token in your pocket already—your phone. Phones make useful hardware tokens simply because everyone’s got one. (Well, 90% of adults, which isn’t strictly speaking everyone, but it’s close enough.) So this is the tool you’ll probably use when you’re setting up two-factor authentication.
Mobile apps that set up authentication use time-synchronized passwords to let you in. Google Authenticator is a very common option. Getting it set up involves making sure your token—that is, your phone — and the server are both on the same page. They agree on what time it is, they agree that you’re you. Then both sides just generate numbers, over and over, about every 30 seconds or so. But because they agreed on the details, they’ll always generate the same ones. This is how SecurId works, and there are other hardware tokens along the same lines, but phones are usually more convenient.
Text message methods are pretty similar, except that the website sends you the number it generated. You’re just proving that you have the phone you set up in your hands. Which is ultimately all a possession factor is trying to do, but it’s not as safe this way. The upside to this is even your old Nokia brick from 2000 gets text messages.
But there’s more. You can get a Yubikey, a physical device that look like USB thumb drives, which sets up public/private key pairs and do challenge-response authentication. It’s much more secure, but not every website is able to use it, and using it can get to be a hassle. But it’s awesome if you need to be really safe.
There’s always a tradeoff between security and convenience. Having to put in your password, then pull out your phone and put in another password, is a bit inconvenient. But it means that even if someone guesses your Morty-based password, you’re still in the clear. It’s not an excuse for bad or repeated passwords, but we’re human; we all make mistakes.
Usually, however, your password isn’t guessed; it’s stolen. Some big company got careless and cocky, and someone looking to make a buck got in there, and next thing you know there are horror stories of identity theft on CNN. But if you are reusing passwords—and you shouldn’t be—then your accounts that have two-factor authentication are still okay. There’s a lot less to freak out about.
That’s not to call two-factor perfect; it’s not. Those super secure bits of hardware are pretty inconvenient, and easy to get lost. You can usually recover from that, but it can be difficult. You may have to save and use some asynchronous one-time password that was created when you first set up two-factor authentication. These codes look a lot like the ones that get generated when you use them, but they’re set up much earlier and you can use them whenever you need to. You just have to keep them somewhere safe.
And then there’s snooping. Mobile authenticator apps are technically software tokens, even though they live on their own separate hardware. That means some bad code can watch the passwords it generates, making the whole thing moot. Text messages can be intercepted. Numbers can be observed by people nearby. Two-factor authentication certainly helps, but it’s not perfect, and it’s not an excuse to be lazy.
Seriously. Don’t reuse your passwords.
Now I completely understand why people reuse their passwords. They have a lot! It’s easy to forget one. This is the main reason I use a password manager—LastPass in my case, but most of them out there are pretty good. And as an added bonus, many of them let you secure your password list using two-factor authentication. So you can generate a ridiculous password, let the manager remember it for you, and use two-factor to secure everything. It’s like locking your front door versus locking every room individually.
Your password manager will probably have a mobile app as well, so you can use it on your phone, too. Pair that with an authenticator app—Google Authenticator is very common, though Authy and Auth0 are sometimes options as well—and your phone becomes your master key for all the locks across the web. Convenient, but… well, just hope you don’t lose your phone. Or get any malware on it, which is possible with third-party app stores.
But if snooping is a serious concern, hardware tokens are still widely available. There are unique ones like SecurId, as well as the USB option from Yubico. The Yubico options are very cryptographically elaborate, but you have to shell out for the more expensive options to use them more widely. And yes, you have to pay for their keys (which range between $25-$50); sadly, USB devices don’t grow on trees.
Morty is still Morty. Morty is still awesome. And once you have two-factor authentication set up, your accounts are a little more awesome.
What’s less awesome is how many chances you’ll get to benefit from two-factor auth. It’s not always available, and not always where you want it. The support list at twofactorauth.org tracks 57 different banks, for example, and only 20 offer any sort of two-factor option. But there are plenty of other things you can protect, like your email or your Facebook. It’s not perfect—security rarely is—but by giving you one more thing to do, it gives you one less thing to worry about.
Zoe Landon is a full-stack web developer, musician, and internet rabbit from the east coast, now living in Portland OR. She once won a game of pub trivia all on her own and will not shut up about it.