Why do I need two-factor authentication?

Today's Internet is not the same playground many of us grew to love. Instead, the Internet services are deeply integrated into our daily routine where most of us have come to expect many "tier-1" services to be at our beck and call 24 hours a day. With so much of our lives now online, that playground gives ample opportunity for scammers to make a buck off some unsuspecting individuals.

This modern dependence on Internet services reveals the problem that many identity systems and associated infrastructure have not yet caught up to the criticality of the services and functionality they're used to protect. The old email address and pass phrase is too cumbersome for most, and too simple to extract either from the individual (phishing) or service provider (data breach).

What can I do?

Most websites today offer some form of two-factor or at least two-step sign-in. Use it! Providers implement this feature for your protection.

Stay alert and ask yourself a few questions:

  1. Do I really need to give this website my email address?
  2. Why am I being asked to sign-in?
  3. If clicking a link, do you know who sent you this link?

Creating an account with a website often makes sense if you plan to place an order or plan to visit repeatedly. Just keep in mind that you're likely signing yourself up for marketing emails and providing your personal information to a service provider. Online accounts are protected by various authentication techniques. It's likely that you'll be asked to provide your email and create a unique password in order to create an account with a provider.

Why Authenticate?

Simplest answer? Authentication allows us to delegate our online identity to others who are quite good at managing them for us.

E-mail is a great example of delegation. While email itself is open and designed to be distributed, it’s often impractical for all of us to run our own email server in our home. Consider receiving a paper letter at your home. You retrieve this letter at your convenience, but it was delivered by a postal worker who left it in your mailbox that exists indefinitely in physical space. If maintaining a physical mailbox at your home is unpractical, you have the option to rent a mailbox at a post office. A P.O. Box is a delegated mailbox because you allow someone else to accept your letters. You can then retrieve letters from the mailbox with a physical key, provided by the Post Office at time of rental.

In order to receive a letter in “online” space, you must also maintain a mailbox, just like the physical mailbox. Receiving email requires a computer to be “online” and available every day in order to receive a message. To receive that message in a timely manner, that computer must be listening 24 hours a day for new mail.

For reasons ranging from technical effort to cost of electricity, most of us delegate the maintenance of our virtual mailboxes to a mailbox-provider like Google or Microsoft. In order to restrict access to a delegated mailbox, we must be able to prove to our mailbox provider that we should be allowed to view the messages in the mailbox. Authentication is the digital replacement for the physical mailbox key.

What is Authentication?

I refer to Authentication here as any workflow where one party makes an identity claim to another party, and then proves they are who they say they are.

Traditionally, most websites and Internet services have relied on a username as an identity claim, and password or shared secret to prove that identity claim. In the last decade or so, email addresses have become the standard replacement for username mostly because they’re easy for users to remember, and guaranteed to be unique. (Only one user can sign up per email address.)

This traditional email/password combination serves as the most basic identification challenge. The purpose of adding a second step to this authentication workflow is to supplement something you know with something you have.

For example, a thief may know the exact make and model of your car, but they don’t physically possess the key. Therefore, they cannot steal your car. If that same thief were to steal your car key, but your car required a pass phrase in addition to physical key, your car would remain safe. The same is true when accessing your email online. You must enter your secret pass phrase (something you know), and prove that you’re in possession of some physical key (something you have). This is the general design concept behind two-factor authentication.

Why do I have to enter a 6-digit code?

Many of today’s online services have elected to implement a second factor of identification through a mobile phone via SMS. The purpose of the 6-digit code is to confirm the "something you have," your phone. While this provides a two-factor solution to nearly 100% of today's users, it relies on a decades old transport layer that was never intended to be secure (sms). SMS is not necessarily insecure, but there are still ways to hijack or steal your phone number and therefore your SMS codes. For this reason, your mobile phone carrier must be trustworthy and also enforce two-factor authentication.

While there are many reasons why two-factor over SMS is not ideal, it does greatly improve the user’s security and provider’s confidence that it is, in fact, that user signing in.

Sites and Services that offer two-factor

Check out the 2fa directory maintained by 2factorauth.

Add two-factor to your site using trusted identity platforms

Sign-in with Apple

Sign-in with Google

Login with Amazon

Sign-in with GitHub

Firebase Authentication