Posted on

Tips for Two-factor Authentication

2FA, also known as “Multi-Factor Authentication” or “MFA” is technology that attempts to increase security beyond a simple logon ID and password.

It does this using three concepts:

  • knowledge – something only the user knows (like a password/PIN/secret questions)
  • possession – something only the user has (like a one-time or hardware token)
  • inherence – something only the user is (like a biometric scan)

Logging In

Most sensitive consumer-facing websites today use the following method:

  1. user enters their user ID and password
  2. if correct, website sends user an SMS text containing a temporary token string
  3. user types the token into the website
  4. website grants access

Some websites simplify the above method as follows:

  1. user enters their user ID and password
  2. if correct, website sends user a regular email containing a temporary auth link that they click/tap
  3. website grants access

Best Practices

In a perfect world, we wouldn’t need security methods to protect us from evil beings. Here are some common methods they like to use:

  • SIM-card hijacking – hacker reassigns our SIM info to their phone then uses it to reset our password
  • WiFi sniffing – hacker equipment “sniffs” nearby radio signals to steal our credentials
  • Robbery – criminal robs user of their smartphone or hardware dongle

Here are a few security tips:

  • try to use cash whenever possible, and avoid using credit/debit cards
  • use a radio-opaque wallet to carry your credit/debit cards
  • remove your mobile phone number from your email signature block
  • treat your mobile phone number like you do your Social Security Number
  • call your mobile carrier immediately if you cannot receive or make calls
  • never connect to a public WiFi without using a VPN
  • beware of any unexpected emails especially those containing links or attachments
  • never click email links or attachments before inspecting* them first

*Recommended Web address inspectors: