The other day I had an interesting conversation with a friend.
Their bank had just told them they had to add their phone number to their bank account.
This was in order for the bank to send them a text message with a code to their phone to input along with their password, every time they logged in to the bank via the web or a mobile device.
What are Second Factor Tokens?
You may have seen this before. Second Factor tokens can also be called a one-time-password, 2-Step Verification, or Two Factor Authentication (2FA).
Second-factor tokens are a part of Multifactor authentication – a way of confirming you are who you say you are when you log in. It requires you to provide two (or more) pieces of evidence (commonly called factors) to prove it is really you. The two pieces of evidence have to be two of these three: something that you know, something that you have in your possession and something that you are.
If you haven’t guessed it yet, your password normally qualifies as something that you know and is your first factor. Second-factor tokens provide evidence for something in your possession and are normally your second factor.
These tokens can range from physical devices you have to plug into your computer or place near your computer, to numerical codes (obtained from an app or physical device resembling a key fob) that you enter after your username and password.
There are even some newer solutions don’t even give you a code at all.. they just prompt you to approve or deny a request to login via an app on your phone.
They don’t exactly make things easier
Not surprisingly, they were not very happy about this change.
Multifactor Authentication means an extra step and more things you need to keep track of and worry about when logging in.
They almost seemed as if they were telling me about this, expecting me to take their side.
To say “of course how could the bank do that horrible thing?!”
But do you know what I did?
I said, “that’s great!”
They were so shocked!
While I had to agree with them that the codes are annoying, the thing is, they are very effective.
For those who don’t use these one-time codes often, or if they’re completely new,
- they can be very annoying and frustrating, as they’re one more thing you have to deal with
- If they send the code to your phone, and you don’t have your phone, it presents another problem
- If you’re not technologically savvy, it’s one more piece of technology to deal with.
So what exactly is the purpose of using them?
If they’re so annoying, then what is the purpose of using them? How are they different than the security questions we already use? Why can’t we just continue using the security questions?
In short, because passwords alone just aren’t good enough anymore on their own and with the amount of information we share on social media, security questions are just too easy to guess.
Not everyone uses long and complex passwords, and even if you’re someone who does there is still the possibility of your password being compromised in a breach.
A second-factor token helps in that if your password is compromised, knowing your password alone isn’t enough information for an attacker to login to your account. They still need the code you have, or for you to tap the “approve” button on your app.
So while this whole second-factor authentication thing might seem like a nuisance, its actually meant to help you secure your logins better.
Second Factor tokens still aren’t completely foolproof.
Although, like other things,second-factor tokens aren’t a silver bullet. For example, if you receive a code via a text message, someone could impersonate you to your cell phone provider. Doing this, they can obtain a new SIM card that has your phone number tied to it. Then a request is made for the code and because they now control your phone number, it’d be sent directly to them instead of you.
Of course, your information on the service is only as secure as the security the service has in place. Even if your password is top-notch and you use second-factor tokens, your information can still be compromised if the service itself is compromised.
Still, these types of codes do provide much more security for your login than a password alone.
Speaking of passwords…
While second-factor tokens do help, it doesn’t mean you can become lazy with your passwords. Long, complex and strong passwords are still important!
If you’re struggling with creating long and strong passwords and remembering them, we have a few tips for that: Two Simple Tips to Remembering Passwords
How do I get a second-factor token?
Unfortunately, second-factor tokens aren’t something you can just get for yourself. Multifactor authentication and second-factor tokens have to be supported and by whatever service you’re logging into and does take a bit of setup.
However, more services these days do support some type of two-factor authentication. The website at twofactorauth.org maintains a list of many services which support multi-factor authentication and second-factor tokens.
To find out if your service does support second-factor tokens, try looking in their help documentation. If all else fails, reach out to the company and ask! They may also be able to provide some instructions for how to set it up, too.
Long story short…
While second-factor tokens may seem like a nuisance, they are actually meant to help. They can help username and password become stronger and more resilient to hacks and data breaches.
However, while they do add to the password you already use, they should be used as a compliment. Not as a replacement to your password.
Do you have second-factor tokens setup for all your logins?