2FA, also known as “Multi-Factor Authentication” or “MFA” is technology that attempts to increase security beyond a simple logon ID and password.
It does this using three concepts:
- knowledge – something only the user knows (like a password/PIN/secret questions)
- possession – something only the user has (like a one-time or hardware token)
- inherence – something only the user is (like a biometric scan)
Logging In
Most sensitive consumer-facing websites today use the following method:
- user enters their user ID and password
- if correct, website sends user an SMS text containing a temporary token string
- user types the token into the website
- website grants access
Some websites simplify the above method as follows:
- user enters their user ID and password
- if correct, website sends user a regular email containing a temporary auth link that they click/tap
- website grants access
Best Practices
In a perfect world, we wouldn’t need security methods to protect us from evil beings. Here are some common methods they like to use:
- SIM-card hijacking – hacker reassigns our SIM info to their phone then uses it to reset our password
- WiFi sniffing – hacker equipment “sniffs” nearby radio signals to steal our credentials
- Robbery – criminal robs user of their smartphone or hardware dongle
Here are a few security tips:
- try to use cash whenever possible, and avoid using credit/debit cards
- use a radio-opaque wallet to carry your credit/debit cards
- remove your mobile phone number from your email signature block
- treat your mobile phone number like you do your Social Security Number
- call your mobile carrier immediately if you cannot receive or make calls
- never connect to a public WiFi without using a VPN
- beware of any unexpected emails especially those containing links or attachments
- never click email links or attachments before inspecting* them first
*Recommended Web address inspectors:
