{"id":20965,"date":"2020-08-27T21:29:24","date_gmt":"2020-08-27T21:29:24","guid":{"rendered":"https:\/\/qa.security.org\/?post_type=resources&p=20965"},"modified":"2024-11-15T09:01:32","modified_gmt":"2024-11-15T17:01:32","slug":"guide-to-authentication-protecting-yourself-from-identity-theft-with-two-factor-or-multi-factor-authentication","status":"publish","type":"resources","link":"https:\/\/www.security.org\/digital-safety\/authentication-guide-how-to\/","title":{"rendered":"Two-Factor and Multi-Factor Authentication: How to Prevent Identity Theft"},"content":{"rendered":"

Protecting your online accounts with a password is enough security\u2026right? Wrong. Millions of Americans fall victim to identity theft each year<\/a>, often a result of hackers stealing usernames and passwords. That\u2019s why consumers are increasingly turning to two-factor authentication (2FA) or multi-factor authentication to prevent cybercrime.<\/p>\n

What does this mean, and what are best practices? For starters, if you\u2019ve ever used a fingerprint to open your phone or confirmed your identity by entering a code texted to you as part of logging into a site, you\u2019ve engaged in a second form of authentication. We\u2019ll go over all of that and more in this guide to authentication.<\/p>\n

\"\"<\/p>\n

What Is Authentication?<\/h2>\n

Let\u2019s get back to basics with a quick definition of authentication and what that actually looks like in the online world.<\/p>\n

Definition<\/h4>\n

Authentication, simply put, is the validation of a user\u2019s identity online, but it can look a few different ways depending on the account\u2019s capabilities and the user\u2019s preferences.<\/p>\n

\n

\"\"Types of Authentication<\/h3>\n

When it comes to authentication, it usually appears in one of the following buckets:<\/p>\n

Password only<\/h4>\n

Most people secure accounts with usernames and passwords only, making this one of the most common methods. However, suppose someone gets or guesses your username and password. In that case, it\u2019s important that they are unable to gain access by implementing some advanced authentication methods, namely two or multi-factor authentication.<\/p>\n

Two-factor authentication (2FA)<\/h4>\n

Two-factor authentication typically comes in the form of a passcode sent to a mobile device, phone number, or email, sometimes referred to as a one-time PIN (OTP).<\/p>\n

Multi-factor authentication (MFA)<\/h4>\n

Multi-factor authentication takes things a step further and comes in many forms, such as biometrics like fingerprint or facial recognition1<\/a><\/sup>, security questions, the CVV on the user\u2019s credit card, or even physical devices like a USB token or card reader2<\/a><\/sup>. However, biometric authentication is perhaps the most common type of MFA that you\u2019ll see.<\/p>\n

\"\"<\/p>\n

Multi-Factor Authentication Examples<\/h2>\n

Even though you may or may not have heard of authentication before reading this guide, it\u2019s super common and available in various online accounts. Here are a few common examples:<\/p>\n

\"\"Financial accounts<\/h4>\n

Given the sensitivity of the information stored, many banks and financial institutions require two-factor authentication to access users\u2019 online accounts. This usually means receiving a text, e-mail, or phone call confirming your identity after entering a password.<\/p>\n

\"\"Face and Touch ID<\/h4>\n

Anyone with a recent iPhone or iPad will know Face ID or Touch ID, a form of multi-factor authentication.<\/p>\n

Ring Doorbell Camera<\/h4>\n

After multiple hackings of Ring cameras<\/a>\u2019 live feeds, Ring added two-factor authentication to the Ring\u2014 Always Home app, requiring users to enter passcodes in addition to their usernames and passwords3<\/a><\/sup>. Many security camera brands have followed suit, but a large chunk of brands still rely on passwords only for securing live feeds and recordings.<\/p>\n<\/div>\n

If you\u2019re not sure if an online account has advanced authentication options, go into settings and then look for a section on privacy; you will be able to enable it there, most likely.<\/p>\n

Authentication Pros and Cons<\/h2>\n

Authentication protects users' accounts from unauthorized access. However, each type of authentication has its unique benefits \u2013 and cons, for that matter.<\/p>\n

\n

Password only<\/b><\/p>\n

\n
The easiest and quickest way to access an account is with a regular password; just type it in and enter your account.<\/div>\n
However, not all passwords are stored in an encrypted vault, which could raise a security risk4<\/a><\/sup>. In addition, if a hacker<\/a> gets a user\u2019s password through a phishing<\/a> attempt, they can access the account if there\u2019s no other authentication implemented.<\/div>\n<\/div>\n

Two-factor authentication<\/b><\/p>\n

\n
2FA blocks many types of cyberattacks, from phishing and spear phishing to brute force and dictionary attacks.<\/div>\n
That being said, it makes logging in take a bit longer and it depends on a third-party device5<\/a><\/sup>, so if that device malfunctions, you may have trouble accessing your own account. Plus, if your device is stolen, access might (literally) fall into the wrong hands.<\/div>\n<\/div>\n

Multi-factor authentication<\/b><\/p>\n

\n
The benefits of MFA are fairly obvious; with fingerprint or face ID, you never have to worry about not having a device, and they\u2019re hard if not impossible to forge. They\u2019re also quick; and, you don\u2019t have to worry about remembering a password6<\/a><\/sup>.<\/div>\n<\/div>\n
\n

On the other hand, biometrics can\u2019t be changed if the device or account is compromised, and they tend to be available only on pricier devices like iPhones. Also, some people may object to having large tech companies store their fingerprints or retina scans, so for the privacy-minded, MFA may be somewhat of a nightmare. Reliability is another concern; biometric scans are fairly new technology to consumer products, so it\u2019s not uncommon for some devices to mis-authenticate a log-in attempt.<\/p>\n<\/div>\n<\/div>\n

\"\"<\/p>\n

Authentication Best Practices<\/h2>\n

While the majority of the best authentication practices lie with the developers themselves, there are a few ways that users like you can use it to your advantage:<\/p>\n

    \n
  1. No plaintext:<\/b> No matter how convenient it may be, never store your passwords in plain text or email or text them to somebody; instead, use an encrypted password manager<\/a> to save and share your passwords.<\/li>\n
  2. Password hygiene:<\/b> Jumping off of that, make sure each online account has its own unique, complicated<\/a>, and long password7<\/a><\/sup>; no using your address for all of your accounts or god forbid, the word \u201cpassword\u201d itself!<\/li>\n
  3. Check your privilege:<\/b> And no, we\u2019re not talking about social justice. When creating privileges for accounts or documents, use the least amount of privilege as you need, like being a contributor rather than an administrator. That way, if your account is hacked, the hacker won\u2019t be able to do as much damage to your files.<\/li>\n
  4. Default to deny:<\/b> Lastly, set up your Google Drive or any shared cloud storage space to \u201cdefault to deny\u201d, meaning that you have to grant people access for them to view and change your files8<\/a><\/sup>. Think of it as \u201cguilty until proven innocent\u201d but for accessing things like documents and spreadsheets.<\/li>\n<\/ol>\n

    Authentication Statistics<\/h2>\n

    Authentication may not be the latest dance craze, but it\u2019s definitely popular and growing more so year after year.<\/p>\n

    \n

    \"\"Industry Usage<\/h4>\n

    Let\u2019s talk about the big picture. As per our last checking, the Advanced Authentication Market in the U.S. was valued at $9.75 billion; in six years, that number is expected to balloon up to $20.73 billion. North America has led the global multi-factor authentication market since at least 2018.<\/p>\n

    Why exactly is the authentication market growing as fast as weeds in your garden? A few reasons, including:<\/p>\n