Understanding Two Factor Authentication

Shane Scott (our resident innovation guru) explains what two factor authentication is and why you should use it everywhere you can.
April 24, 2018
Xero
by
Shane Scott

Technology wizard. Health nut. Amateur chef. Passionate about innovation.

A little while ago I wrote a blog post where I explored why reusing passwords across websites is a terrible idea, and how password managers can help in managing our ever growing catalogue of online accounts. If you haven't read it, and like immature jokes made by an accountant (who doesn’t?), I highly recommend going back and giving it a read.

Well this time, I'm going to take two minutes of your time to explain what is two factor authentication, and why you should use it everywhere you can.

Let's start by going over a process everyone should be familiar with, logging into an Xero. When you log into Xero, it asks for two things, namely your email address, and password. For most of us, we wouldn't think twice about this until the day some hackerman hacks our online accounts (which is technically social engineering, a discussion for another time).

However, if we consider ahead of time that behind those two not so long strings of letters, is some of our most personal financial information, you start to reconsider how secure that password (you definitely don’t use anywhere else) really is. Especially considering that nobody knows your dog's name is Fido and you were born in 1993 (woo class of 2011)...

The system of logging in with a username and password can effectively be called one factor authentication. We authenticate by providing one thing to prove that it's who we say it is (our password). This is where two factor authentication comes into play. What two factor authentication (2FA) does to make this more secure, is by asking for something you know (password), and then for something you have. In most cases, the something you have will be a code generated by your phone that resets every 30 seconds.

That all sounds simple enough, but how is plugging in two strings of letters and numbers more secure than one? Let me run you through a scenario we can all relate too. Imagine we are over at a friends house, and we realise that we haven’t checked facebook in the last 3 minutes, and our phone is out of data. In such extreme circumstances, it is only natural to immediately steal your friends laptop and login to facebook to check that in fact the world hasn’t ended (phew that was close).

Inevitably, we wake up the next day to find that our name on facebook is now Shane Scottnofriends and our birthday is today (lucky me?). In the panic of the night before, we didn’t realise that Google Chrome had gone ahead and saved our facebook password to our friends computer.

Now, if we had 2FA turned on for our facebook account, even though our so called friend could try and login with our password, they would get nowhere without something we have (our phone).

Well why don’t we just use our phones to login all the time, and not use these silly passwords? Well that doesn’t work to great either when we leave our phone at the local and old mate Mick the bartender decides you didn’t tip him enough.

By using something we know hand in hand with something we have, we are able to beat 99% of wood be hackers.

Well, that wasn’t quite two minutes. But i hope that most of you will have a better appreciation for what Two Factor Authentication (2FA) is, and why you should use it in every place you can. If you have any questions about setting it up for your accounts, feel free to get in touch with me (Shane), or anyone else on the illumin8 team.

Xero
April 24, 2018
Similar Posts: