We’ve talked at length on this blog about why passwords are not very secure on their own, and how you can build better passwords to give would-be attackers a hard time.
But to really secure your accounts and data, passwords alone aren’t going to cut it.
You see, passwords are just one form of authentication. (Authentication is geek speak for how we prove in a digital world that we are who we say we are.)
When security experts talk about types of authentication, they are frequently broken up into three categories:
- Something you know (like a passcode, pattern, personal question, or PIN)
- Something you have (like a phone or credit card)
- Something you are (like your voice or your fingerprint)
A password is an example of something you know. When you knock at the door, you know the secret passcode is “open sesame.”
But rather than just using one form of authentication (a password), most websites and applications these days will allow you to use multiple forms. This is called two-factor authentication (or sometimes, two-step authentication).
Two-factor authentication is an extra step in your login process—one that requires multiple forms of proof before allowing you into your account. It goes beyond a standard password to help confirm you’re you, and not a hacker.
When you’re at the gas station and have to type in your zip code after your swipe your credit card, that’s two-factor authentication.
You’re probably also familiar with this concept if you use online banking. Most online banks, if you’re logging in from a computer or location they don’t recognize, will require you to enter in a code that gets texted to your phone or sent to your email in addition to entering your password. This means you have to provide something you know (your password) AND something you have (your phone or your email address).
Something you are usually means biometrics. Think: fingerprint, retina scan, voice activation, or even your face (as in Windows Hello).
By using a combination of multiple forms of authentication, even if an attacker is able to compromise your spectacularly strong password, he or she still won’t be able to access your account without another form of authentication.
Of course, it isn’t perfect. But it does help make potential attacks harder by adding an extra item of information they have to know.
So while some say it’s a pain, others (like us) would say it’s worth the extra step to protect yourself from being hacked.