We all know the theory. We should all create an individual, strong password for each of our online accounts, which we should memorise and never, ever write down. As is so often the case, however, that’s all very well in theory, but in practice, most of us just couldn’t make this work in the real world.
This is why security-conscious companies have come up with alternatives to make our lives a bit easier while keeping us safe online. One of the most popular options is two-factor authentication.
Two-factor authentication works on the same principle as having two locks on an external house door, although the implementation is rather different. Basically, it puts an extra barrier in front of anyone trying to access your account without your permission.
It should be noted that two-factor authentication is most secure when the “something you know part” is a strong password, which you have kept private. The “something you have” aspect is often your phone or a small gadget supplied by the company; not sufficient on its own but is a handy reinforcement of security measures, even if your password does not, strictly speaking, tick all the boxes.
Companies use RSA tokens, banks give their customers card readers but for most purposes, your mobile does the job capably. It will receive a use-once short code, usually by text, but sometimes by call or by mobile app. You then typically have a set amount of time in which to use the code before it expires.
Many well-known companies now either mandate or offer two-factor authentication, although for the most part it’s the latter. For small businesses, possibly the key names to note are Google (Gmail) and PayPal, both of which offer two-factor authentication as an optional service. If you rely on either of these services as a mainstay of your business, then it is strongly recommended to activate this extra layer of protection.
Two-factor authentication greatly increases the security of your account, but, as always, the trade-off is convenience. Gmail mitigates this slightly by allowing users to delegate a “home” computer, on which they can access Gmail just with their password. Some other companies have alternative strategies for minimising the inconvenience of applying this extra step each and every time you want to log in.
What can’t, however, really be mitigated at this point, is the speed (or lack thereof) with which text messages are sent to your phone or the fact that even today, text messages can still disappear completely, especially at busy times.
Likewise, if you change your phone number, you have to update all linked accounts. From a security perspective, this is a very small price to pay for protecting the accounts that really matter to you, however, it is enough of an inconvenience to discourage many companies from making two-factor authentication obligatory unless there is a compelling justification for it. That’s why the security-conscious often have to opt-in to activate two-factor authentication, rather than having it turned on by default.
Similarly, card readers and similar devices can just be unwieldy. RBS required its customers to use a card reader to carry out certain banking transactions and having to locate the card reader, its credit card-style card and recall yet another PIN just made it impractical and awkward to use. At least most of us have our phones by our side, making authentication more streamlined and relevant to our lives.