Simply put, 2FA is exactly what it says on the tin – a second step to secure your account, from an external source. Usually it takes the form of a linked app on another device, like Microsoft Authenticator or Google Authenticator for smartphones and tablets. There are also hardware or physical two-factor systems, but many systems now run on software tokens.
A company does not need to have its own 2FA platform in order to use it – Various companies like Adobe use Google Authenticator or similar. LastPass also has a version of Google Authenticator built into its software.
Instead of an additional password that the user knows, most 2FA apps generate a 6 or 8 digit number unique to that person, that is only valid for a short amount of time – usually between thirty seconds and two minutes; or, in the case of Microsoft’s authenticator app, it shows the user a security challenge and asks them to confirm their identity via biometrics on their smartphone or selecting a number from a list that matches the one displayed on the other device.
It’s both a good security measure and a good deterrent, as hackers need to either have a more sophisticated attack that circumvents the system entirely or a way to access your personal device exactly when they need it.
2FA is not without its flaws, as it relies on access to another device – there can be issues, especially if someone loses access to their device, through it being broken or stolen, for example, or sometimes when manufacturers update the operating systems on their devices. For this reason, most providers offer a “recovery key” when you activate 2FA that allows you to remove the authentication method from your account, should you need to – this should be stored securely, somewhere such as in LastPass’ Secure Notes or in OneDrive’s Personal Vault.
Next time on the GG blog, we’ll be looking at the other forms of 2FA available.