World Password Day 2-Factor Authentication (2FA) #ChatSTC

World Password Day is May 5 this year! It’s the 4th year of the annual event, and also the 4th year that Sticky Password is proud to be participating. This year, our friends at the National Cyber Security Alliance have coordinated a bunch of events and an all-star twitter chat under the hashtag #ChatSTC around the theme of multi-factor authentication (MFA) – which is typically called 2-factor authentication (2FA).


2-factor authentication is tossed around in the news and media a lot these days, but what is it, really? When you break it down:

2FA = more proof,

from a second, independent source.

Online, this typically translates to entering your Username and authenticating yourself with your password (1st factor), which triggers a prompt for another bit of info that comes from separate source (2nd factor). The key is that the 2 factors are disconnected: so that, if a hacker or bad guy steals your password, it would be unlikely for him to also have access to the second factor. And vice versa.

Sometimes 2FA is described as something you have and something you know. While someone may guess something you know (e.g. a password), it is unlikely that he or she would also have physical access to what you have, e.g. a phone on which you’d receive a unique, time-limited code that you need to enter. At least not without you knowing it, in which case, you’d be able to take preventive action.

You know who understood 2-factor authentication?

Little Red Riding Hood understood 2FA. Red was a tough cookie and she got it. Sure, it was a brick-and-mortar world (more like woods and fields where Red lived, but you get the point) – way before the Internet was even a dream, but the idea of confirming identity was already a thing.

You remember the scene: Little Red Riding Hood is standing at the foot of Grandma’s bed. She finds Grandma in bed in her flannel nightgown, her head covered with a sleeping bonnet, but something isn’t right. (The wolf was able to acquire the 1st factor: something Grandma had (bedclothes), and in this case, location (Grandma’s cottage).)

Most folks would have accepted that this was Grandma, but Red needed more proof before she was going to lay out the picnic lunch.

Grandma, what big ears you have!

All the better to hear you with.

What big eyes you have!

All the better to see you with.

What big hands you have!

All the better to hold you with.

What a big mouth you have!

All the better to EAT YOU!

And with that, the wolf jumped out of the bed and ate poor little Red.

How much easier would it have been if Red could have asked Grandma for the private password they had agreed upon for just such situations! (That would have been the 2nd factor: something you know.)

What’s the password, Grandma?

The wolf wouldn’t have had a chance.

Not knowing the 2nd factor would have revealed the wolf to Red on her terms and she might have been able to run away and hide, or instead of being surprised as he leaped from the bed, she could have pulled the handy Swiss Army knife out of her basket and defended herself.

(Luckily for the two ladies, the wolf’s snoring exposed the wolf to the passing woodsman, who helped them out of their predicament! And that led to the happy ending.)

You’ve probably used 2FA without realizing it!

Many of us use checks (or still remember using checks in the not-so-distant past) when paying at the supermarket and, well, just about anywhere. When you think about it, the transaction was often multi-factor.

The cashier would ring up your purchase and you’d pull out your checkbook. At that point, it’s only your say-so that you are who you say you are – and, of course, you have checks with your name on them (from a bank). In order to accept your check, however, many grocery stores required that you had a check cashing card on file in their office (from the store). You’d taken care of that on some previous visit to the store, so you’re still OK. When accepting your check, the cashier would ask for your driver license (from the department of motor vehicles) to confirm your identity against the card on file.

All these elements comprised the multiple factors that the store considered to be sufficient to accept your check: after all, a check is a promise to pay based on the funds actually being at the bank, so there’s trust involved on their part. While it may be possible to forge any one factor, the likelihood of falsifying several factors from different sources (bank, store, DMV) is much smaller.

So, the secret to multi-factor authentication is that the factors come from different sources that can’t all easily be falsified or obtained together in some underhanded way.

Simply stated, it’s trust, but verify.

Taking that to the online world is pretty straightforward. A password, the 1st factor, entered together with your username is the first step. Once that is accepted as valid, you’ll need that 2nd factor (from a separate or independent source). A common way to handle the second factor is generate a text or message to a mobile phone that the owner of the account registered when setting up the account. When received by the owner, the code is entered on the website and access is granted.

The something you know is the password (1st factor), and the something you have is the mobile phone (2nd factor). Let’s say someone shady (a hacker, or maybe your ‘ex’) got your password and wanted to access one of your accounts that was protected by 2FA. Entering the password wouldn’t be enough. The shady character would also have to have your phone in order to be able to receive text messages with your additional authentication code. As long as you have your phone, your account would be safe: giving you time to change the password(s) that had been stolen.

The converse also applies.

While you may lose your phone, it’s not likely that the person who pocketed it will also know your password – so trying to access your accounts that are protected by 2FA wouldn’t be possible.

The moral of the story: Use strong passwords and activate 2-factor authentication for your online accounts when available .