Usernames and passwords surely help protect against unauthorized online access. However, even if someone has a unique password for every website visited, that won’t stop malware on a computer or the website itself from stealing confidential information.
Security experts agree that two-factor authentication (also called two-step verification) is one of best ways to protect online accounts because it adds a second step in the log-in process. It combines “something you know,” such as a username and password, with “something you have,” such as a PIN, one-time code, fingerprint or other biometric to confirm the identity of the person trying to log into the account.
There are several types of two-factor authentication, including:
Text message code: Most simple and most common, but least secure method. Hackers can easily exploit weaknesses in phone networks and text messages aren’t encrypted. Plus, if the phone is lost or stolen, anyone can receive the code.
Authenticator app code: Similar to a text message, except it requires the customer to install an app on their smartphone. When logging into a website, the code is sent to the app over a secure https connection so it’s more difficult to intercept and steal the code. Still, this method has the same issues as text messages if the phone is lost, stolen or infected with malware.
Biometric: Less common because it requires specialized hardware and software to accommodate facial recognition, iris scan, voice recognition or fingerprints. While biometric systems are more difficult to infiltrate, fingerprints can be cloned (the stuff of spy movies) and new technologies could permit a criminal to print a 3D head (unlikely but not impossible.)
Physical key: Considered the strongest of all two-factor authentication methods, a physical key is a small device that generates a new, one-time code every few seconds. The physical key often has to be close to the device being used to log in, and the unique code has to be entered for online access to be granted.
Time factor: Also called a “logical lock” because a bank customer can’t physically use their ATM card in New York and then again across the country in California 15 minutes later.
Two-factor also protects against phishing emails that might trick the recipient into logging into fake website using Google or Facebook credentials, for example. Only a legitimate website will send a working two-factor code.
Sources: Techcrunch.com, Searchsecurity/tech target