What is two-factor authentication?

Using "something you have"

When security experts talk about "something you have", they mean an object you have in your possession when you try to log in. This is likely to be:

• Mobile phones that can receive a text message with a time-limited multi-digit code – sometimes called a one-time password (OTP) – which has to be entered in addition to the passcode and which can be used only once
• Authenticator apps running on a mobile device that generates an OTP, or which can receive a push notification. To log in to Google on a laptop, for example, you may need to open the Google app on a mobile device where a notification message appears asking you to confirm you are attempting to log in on another device
• Hardware devices that displays an OTP when a button is pressed. These are becoming less common because of the cost of buying and distributing them and replacing them when they get lost

Using "something you are"

"Something you are" usually refers to some type of biometric like a fingerprint, a face or an iris scan, or a voice sample. In the past a biometric 2FA was unusual because of the cost of biometric systems, but today most mobile phones are equipped with the sensors and computing power needed to read these types of biometrics.

The pros and cons of different methods

Like most things related to security, there is a balance to be struck between the security provided and the cost and convenience of a particular authentication factor.

The simplest and easiest 2FA to use is probably SMS-based authentication, but the drawback is that it is possible for a cyber criminal to intercept an SMS. The cyber criminal could acquire a cloned version of an intended victim’s SIM card, for example.

An authenticator app is considered more secure because the OTP is generated on the phone, making it impossible to intercept. The drawback here is that the it requires the user to download and install the authenticator app and constantly keep it updated.

The most popular authenticator apps include Google Authenticator, Duo Mobile, Microsoft Authenticator, Free OTP, and Authy.

Hardware devices may provide an even higher level of security, but as mentioned they are expensive and are more likely to be misplaced than a mobile device. However, hardware devices have the added advantage of not requiring the user to have a mobile phone.

Biometrics are generally considered very secure – the fact that many banks in the UK allow people to log in to their accounts using face scans or fingerprint readings is testament to this.

Biometrics have the added benefit that even if a cyber criminal gets access to a potential victim’s password and their mobile phone, they still will not be able to log in unless they are with the victim and able to coerce them into providing a biometric.

Setting up two-factor authentication

Most cloud service providers and many app-based services offer the option of using 2FA. Activating it is usually a matter of ticking an option and then providing details such as a mobile phone number, scanning a QR code to enrol an authenticator app, providing an address to send a hardware device, or enrolling a biometric such as a face scan.

Setting up 2FA to log in to internal accounts is a more complicated matter which needs to be carried out by a charity’s IT department or IT service provider.