Every day, we need and perform an authentication process, often without thinking about what we did. We open locked doors with keys or access cards; we cannot do this except we HAVE the correct key. We unlock phones with a fingerprint scanner or a facial recognition software; these methods confirm who we ARE. Meeting people for the first time often involves some description of the other party or some inside joke that acts as a code word or phrase of sorts; this confirms what we KNOW. The things we HAVE (possession), ARE (inheritance) and KNOW (Knowledge) are the factors of authentication. The groups (Have, Are, Know) to which these factors belong are the categories of authentication.

Often in unsafe environments or for clandestine operations, the authentication processes as described above are usually not enough and we use more layers. Just as some buildings add man-traps to their doors to prevent tail-gating, others have re-enforced doors to make them much harder to breakdown. Having unlocked your phone, certain applications still require a password or pin before they allow access. While meeting unfamiliar people, having confirmed what only both parties know, some people still find other ways of confirming. They could dial the mobile of said person as a second layer of authentication. Using more than one authentication method during an authentication process is referred to as the Multi-factor authentication (MFA) of which two factor authentication exists (2FA).

MFA is an authentication process where you receive access after over one piece of evidence has gone through a verification process by an authentication agent. This is the more generic method as the evidences-often referred to as factors requested are over one and for high-risk environments they have as much as 4 or 5 factors. Note that an increase in the number of factors ensures an increase in the burden of authentication. Hence, an MFA could come from the same category. An application that requires a password to open and then a Personal Identification Number (PIN) to perform a function has MFA enabled, but in technical terms this is not 2FA even though two “factors” are in use in the authentication process.

A 2FA process requires two factors from different categories of authentication. This is to ensure that a security breach requires multiple points of compromise. A truth serum would compromise an MFA that requires a password and later a PIN. Some people even have a terrible habit of writing Passwords in a diary (Please Stop!!!) anyone with access to that diary has access to all accounts related to passwords recorded. Others use the same password and pin across platforms and so a breach on one platform means a hacker can impersonate such individuals. The painful part is that sometimes the breach happens on a long-forgotten website, making the user unaware such occurrence took place for far too long. Also, an office bag containing a key and an access card to a building, if stolen, has automatically given whoever has received the bag the ability to access the building. Mitigating these vulnerabilities gave rise to the standardized 2FA.

The expansion of the internet has ensured that each individual has a vast amount of username and passwords to use and remember. Password managers and single sign-on (SSO) systems exist to help manage the username and password process, these however, provide a single point of failure if not properly managed and so I advise, (I would command if I could) for every service or website you register on, enable 2FA if it is available. Ensure it is a 2FA system and not an MFA. Collect those hardware tokens and use them with your banking applications, enable text based 2FA, make use of the “Autenthicator” applications from reputable companies and much more 2FA systems are in use. This would go a long way to ensure that all systems used from social media accounts to banking applications remain secure on your end as 2FA systems render hacking access to these online services almost impossible. Watch out for the blog post that shows the best practices necessary to maintain a healthy 2FA ecosystem.