Two-factor Authentication

Two factor authentication, also referred to as multifactor authentication or MFA, is a way to authenticate that you are who you say you are, in addition to an account password. This can be something like a fingerprint or a retinal scanner, a code sent to a key chain token or even your mobile phone via text message, though the last one is not the most secure method out there. If an attacker only has your password, he or she won't be able to access your account without this second factor of authentication. Now we've talked a few times about the importance of administrative accounts and that they can once again download, modify and delete different programs on your network or on an individual computer. There should be as few of them as possible. The few that you have should always have this two factor authentication enabled because you want to make sure that an attacker can't control them.


There are a lot of different methods to use. This in effect, it could be something you have. This can be like a physical hardware token with a code, a smart card, a text message going to a phone. Better than that is what's called an authenticator app. Google Authenticator is one. Another one is called Authy and these are both very effective. One great thing that can be used, if you have a physical token, there are the ones that get codes. There are also ones where, unless it's plugged into a computer, you cannot log in as you. There's one called the YubiKey, which I believe Google uses and since they started using them, they haven't had a single successful attack. Just a thought. Another one you can use is something you are, this is also referred to as biometrics.


That can mean a fingerprint scanner, a retinal scanner. You're obviously not probably going to use that in a smaller office. Plus retinal scanners are a little gross, can have to put it right up against your eye. There are also privacy concerns with that because it's got obviously physical information about you that could theoretically be stored somewhere and/or stolen. And also security researchers have cracked consumer grade fingerprint scanners repeatedly. There was even an instance in late 2014 where German hackers were able to crack a fingerprint scanner of a politician just using a picture of her finger, like her hand, she was up speaking like this and from just that they were able to get a detailed enough picture to basically fake her fingerprint. Look, at the end of the day, any biometric marker is still reduced to just ones and zeros. And the problem with that is if it does get stolen, you can't reset it. You can't obviously change out your thumb. One other way you can do it is also location based. That's actually a helpful thing to have. Let's say your office is located in Ohio. Someone can't log in from Brazil or Malaysia because that's very likely not you. Now one thing you can look at for individual sites to see if they do offer two factor authentication is something called Again, I'll put the link in the notes. And it just lets you know if a site you're dealing with does offer this capability, which just makes it a bit safer for you.

Two-factor authentication (2FA)

  • Is also referred to as “multi-factor authentication”
  • Regardless of the name, it’s a way to prove to that you are who you say you are in addition to using an account password
  • 2FA should be enabled on any Admin account

There are various methods of 2FA:

  • Something you have (hardware token, smartcard, text message, authenticator app)
  • Something you are (biometrics, like fingerprint and retinal scans)
  • 2FA can also be location-based