Logging into websites is a time-honored ritual with which we’re all familiar:
- You enter your username (or email)
- You type in your password (or PIN)
And you’re in.
However, it’s fairly easy for criminals to hack this process. This is especially true if you use weak passwords such as “1234” or “password.”
For this reason, many websites now require that you use a combination of the following when generating secure passwords:
- Case-sensitive letters
- Special characters
Some sites also set a minimum length of six or eight characters, so you might end up with something like — h&gyt^tdgA5yG.
This approach offers some protection, but even strong passwords can be hacked — particularly if you use the same credentials on multiple sites (which many users do).
As a result, a growing number of sites have begun using two-factor authentication (2FA) to make their platforms even more secure. Also known as “two-step authentication,” this trend is most common among:
- Financial sites (e.g., online banking, PayPal, cryptocurrency exchanges)
- Social media and email platforms (e.g., Facebook, Twitter and Gmail)
But what is two-step authentication — and how does it work?
Two-Factor User Authentication in a Nutshell
As the name suggests, two-factor authentication requires that you provide two independent pieces of verification to “authenticate” your identity.
In most cases, the first verification step is the user’s password. The next one can fall into any of the following categories:
- What you know — e.g., your high school mascot or grandmother’s maiden name.
- What you have — e.g., a unique, one-time code directly sent to your smartphone or email account.
- What you are — e.g., a fingerprint, iris scan or spoken word (via voice recognition).
The thinking behind this approach is that a criminal is less likely to know both your password and your grandmother’s name. As such, two-factor authentication provides an additional layer of security.
Think of it like this.
If your house has two locks on the front door — while all the other houses on the block have only a single lock — a thief will likely skip over yours. That’s because your neighbors are easier and more attractive targets.
However, two-step authentication has certain downsides.
When Requiring Multiple Authentication Methods Doesn’t Work
Requiring that web visitors go through two or more user authentication steps does have limitations. In fact, it can create a lot of difficulties.
Let’s take a look at some case examples when two-step authentication might backfire.
1. Personal Detail Authentication Methods
Your grandmother’s maiden name or high school mascot isn’t as “personal” as you might think. For starters, most of your friends and family members will likely know this information already. You’d be surprised how easily thieves can build up detailed profiles of their targets simply by connecting the dots.
This drawback isn’t necessarily a “flaw” in the system. It just illustrates the limitations of requiring personal details.
2. Codes Sent to Your Mobile Device
Most Americans are attached to their smartphones, so you’d think that sending unique, one-time codes would offer a lot of protection.
Yet, this user authentication step can sometimes be so secure that even legitimate users are locked out. For example, what happens if:
- You forget your phone that day?
- Your device gets lost or stolen?
- Your phone runs out of battery?
- You don’t get coverage in that area?
- You forget to pay your cell bill?
Thieves may be locked out of your account, but so are you. In addition, SMS messages often count against your data plan. What’s more, if you’re logging into lots of sites every day, this can get pretty expensive.
3. Unique Codes Sent to Your Email
Many of the “what if” scenarios above also apply to email. In some cases, it could be the email account itself that requires two-step authentication when you try to log in. You’ll need a second account attached to the first one to complete the process.
Moreover, any thieves who get a hold of your phone will have access to both your SMS and your email account at the same time. If that happens, they’ll be able to “two-step authenticate” their way to the bank.
Is Multi-step User Authentication Worth It?
Yes. Despite the limitations outlined above:
- All users should enable 2FA on their end.
- All businesses should require it on their end.
The online world is becoming more dangerous — with data breaches, ransomware, phishing, payment fraud and countless other cyber threats all on the rise. Requiring multiple authentication methods will keep you safer than only requiring one.
For the time being, 2FA is the new gold standard for online security. As the standard, though, it will soon become the most common target as thieves refine their tactics. Society may eventually need to adopt three-step, four-step or even five-step user authentication moving forward.