Everyone today of all ages is using computers for work, learning, entertainment, and social gatherings. Authentication is very important for computer systems, because they contain important data that is only meant for certain people to see – such things as private health care information, engineering secrets, or important financial transactions. Simply put, authentication means proving that someone is who they say they are. By proving someone is who they say they are, we can ensure that only authorized users gain access to the system. One way to do this is by using two-factor authentication
While developing a learning module for the Elementary CyberCamp at the University of South Florida, I thought you might find the concept of two-factor authentication helpful.
How to Prevent People from Gaining Unauthorized Access
There are different ways in which access control can be granted to a system:
- What you know (like a password or PIN)
- What you have (like a key or token)
- What you are (biometrics – fingerprint, iris, retina, etc.)
An attacker tries to gain unauthorized access to a computer information system by stealing or guessing login credentials (UserID/password). They may also try to break into to the system by finding vulnerabilities or flaws in the system security, and exploiting these, but that’s pretty hard. It’s much easier to trick people into giving you their password!
This can be done through phishing (sending emails that look like they’re coming from a legitimate, trusted person, but they’re really from an attacker trying to steal your credentials) or other methods.
Two-factor authentication (2FA) is probably one of the most important things we can do to prevent against people getting phished. Here’s how it works:
- There are a lot of problems with having just passwords to secure access to important sites such as email, banking, school, or work.
- For one thing, it’s pretty easy for an attacker to trick people into giving them their password – they can make a fake website that looks like the real one, and get people to enter their password there.
- For another thing, people often reuse their passwords. It’s hard to remember a lot of passwords, and sometimes people visit as many as 50 different websites. So, people tend to use the same password on different sites. If one of those sites happened to get hacked, and the attackers stole all the passwords, then they could try those passwords on other websites to see if they work there.
- What is the solution to this? Having to provide more than just a password to get on to a site. By requiring 2 or more authentication factors, an attacker will have a much harder time trying to get into someone’s account. Just using a stolen password won’t work for them.
- Here’s an example of how it works: I create a password for a social media website, but I also have an “Authenticator” app on my phone for that website. When I go to login, not only do I have to provide my password, but I also have to enter a code from the app on my phone. The code changes every 30 seconds and looks like a random number. The server that checks the code knows what the number should be. If it’s not the number I entered from my phone (and entered before the timer runs out), I will not be able to sign in — even though I knew the right password! The attacker cannot guess every possible number. They can try to guess a few, but there is a very tiny chance of them guessing the right one.
The fact is, there are a lot of company executives out there who don’t get this, but should! Encourage your people to set up two-factor authentication.