What is two-factor authentication?
On May 6, 2021, on the occasion of World Password Day – a 2013 idea by Intel Security to raise awareness on Information Security and Cyber Security – Google announced the activation of two-factor authentication by default to strengthen account security.
Even Youtube, starting from November 1, 2021, has adopted the “two-step verification” which, for the moment, only concerns creators who join the Partner Program and monetize their contents.
What is two-factor authentication? Two Factor Authentication (2FA) is a security protocol based on the joint use of two authentication methods to validate the identification of a user and prevent the breach of sensitive data. In other words, 2FA adds an extra layer of security to an account login process, making it more difficult for cybercriminals and unauthorized users to access.
Today, Two Factor Authentication represents one of the most effective security measures and is an indispensable tool for protecting the identity manager, e-mail account, social media accounts and online shopping transactions.
How does 2FA work?
Generally, the most common authentication involves the use of the traditional “username and password” combination. However, a password, even when strong and unique, can be easily intercepted, stolen and compromised.
Two-step verification overcomes the problem. Compared to common login credentials, it guarantees a high level of protection thanks to the use of multiple factors during the authentication process.
These factors must be mutually independent (to avoid that the violation of one compromises the reliability of the other). Furthermore, they must belong to different categories (this means that two elements of the same category cannot be used), which are:
- Knowledge: something that the user knows (eg: a password or PIN);
- Possession: something that the user has (eg: a smartphone or a security token);
- Inherence: something that the user is (eg: fingerprint, voice stamp, retina, iris, or other biometric data).
How does two-factor authentication work? After entering the user name and the first authentication factor, ie the password, the system asks the user to use an additional factor to gain access to their account. Generally, the second most used factor belongs to the “Possession” category and is a numeric code that the user receives via text message or through a security token.
The home banking login procedure is a classic example of two-factor authentication. It includes the use of an ID, a password and a One-time password (OTP), which is a disposable password generated through a token and valid only for a single login session or transaction.
Strong authentication is used in various contexts. In the banking and financial services sector it is called Strong Customer Authentication (SCA).
The SCA applies in cases of Cardholder Initiated Transactions (CIT), online payments initiated by the customer (for example: purchases made on an e-commerce). On the contrary, it does not apply in cases of Merchant Initiated Transactions (MIT), MO.TO., transactions of less than 30 euros, low-risk transactions and Transactions with reliable beneficiaries.
The use of Strong Customer Authentication has been further strengthened and made mandatory by the entry into force of Directive (EU) 2015/2366 known as PSD2 (Payment Services Directive 2).
Why is it important to use Two Factor Authentication?
According to data presented by Microsoft during the RSA Conference 2020 on over 1.2 million accounts hacked in the first month of 2020, 99.9% of them did not have 2FA.
Furthermore, in the first quarter of 2021 alone, Exprivia Cybersecurity Observatory recorded 349 events including attacks, incidents and privacy violations, showing a seven-fold growth compared to the first three months of 2020.
Data theft remains the biggest damage caused by cybercriminals, with 70% of cases between January and March, followed by money theft, up 40%, and personal data breaches. Among the techniques used by hackers are phishing-social engineering, with about 60% of cases, malware and known vulnerabilities.
These data show that two-factor authentication is the most effective security measure to protect your accounts from the threat of identity theft and to counter phishing attacks with which hackers try to catch your sensitive data.