One of IT’s biggest barriers is jargon, where simple concepts are given overly complex names. Among those is 2FA (two-factor authentication) or MFA (multi-factor authentication). Why don’t they just call it “Another way of checking that you really are who you say you are”. OK, maybe that’s a little wordy!
Remember how easy it was when you just logged in with a name and a simple password? Sadly, criminals found it easy too – with your name and password. So, like a castle with various levels of defence, IT companies added new methods of authentication to keep ahead of those criminals and to protect your information.
At its simplest, 2FA brings together something you know, something you have and/or something you are. MFA is moving towards also using factors such as time and location. It’s not a new concept: “Traditionally debit card payments for many years have been 2FA: something you have (card) and something you know (pin).” Jimmy Wales (founder of Wikipedia).
“Something you know” could be a password, a PIN or answers to secret questions. “Something you have” is a phone, a credit card or an authenticator app. “Something you are” is biometric data, which is becoming easier to access with the increased availability of fingerprint scanners and face/voice recognition.
So my banking app is locked to my phone (something I have) and requires my fingerprint (something I am) to log in. Facebook asks for my password (something I know) and a code from my authenticator app (something I have). The irony is that the weakest form of 2FA is the most common – the SMS OTP (yes, more jargon). This is the One Time Password, or code, you’re sent by text when you’re doing, for example, a credit card transaction. Texts are “vulnerable to compromise—albeit such compromises remain comparatively and thankfully rare—but it is becoming more of an issue.” (Forbes) so it’s better to avoid this method if you have a choice.
The common theme between most of these verification methods is that they require a smartphone, which makes life difficult for the many people – particularly of an older generation – who don’t have one.
What’s the future? It seems that 2FA/MFA isn’t going away any time soon. However, companies including Microsoft and Google are working with FIDO (Fast IDentity Online) Alliance to rethink “the nature of online authentication”, moving away from passwords completely. In a few years, I hope they’ll develop easier, more accessible solutions for everybody. In the meantime, though, while MFA is cumbersome “it’s worth it in the long run to avoid serious theft, be it of your identity, data, or money” (PC Mag).