The 2FA revolution


Google, Facebook, Yahoo, Dropbox, Microsoft SkyDrive, Apple iCloud, PayPal, Evernote, LinkedIn, WordPress. And Twitter has just joined them, too.

Chances are you’re already using one or more of these online services. By and large, they are built to be useful and accessible to everyone, including users who see technology as a welcome aid in their daily tasks, but do not necessarily have or need any deeper insight into its workings.

Now, what else do they all have in common? The answer comes in the form of one of those abbreviations that tech people are so fond of: 2FA.

Two-factor authentication means adding an extra layer of security to keep sensitive data safe. You take something you know, like a fixed password or PIN, and throw in something you have, which is typically a device for generating one-time passwords, commonly referred to as a token. Only when both factors are present is the user granted access.

In addition to physical tokens – keyfobs, USB plugs  and suchlike – a growing number of two-factor solutions opt to take advantage of the overwhelming popularity of smartphones. One-time passwords can be delivered through text messages or generated by a smartphone application. That’s where Google Authenticator and similar apps come in.

Until recently, two-factor authentication used to be the preserve of online banking, corporate and government sector, protecting the kind of data whose potential exposure was immediately linked to grave financial consequences. For the past couple of years, however, it has begun to emerge into a much broader area of use.

After all, it is only natural that a growth in the amount of data we store online should be followed by an increased awareness of the importance of authentication. A compromised e-mail account can cause a great deal of damage. Just because we use it every day and take it for granted doesn’t mean its unimportant – quite the reverse.

Meanwhile, the boundaries between the corporate and the personal are becoming blurred with the advent of practices such as ‘Bring your own device’ (BYOD), which may improve employee productivity, but open up new lines of attack. A growing number of businesses also outsource non-core IT functions, which in practice often means that things that don’t get done on the company premises end up in the cloud.

But the need for strong authentication does not stop there. What about education, healthcare, or any and all public services that could be (or already have been) made simpler and more efficient by migrating online? However, without adequate security, that new convenience can spell disaster.

At the same time, fortunately, there seems to be a growing tendency towards greater user-friendliness – and not only for the benefit of the end users who struggle with cumbersome passwords and security questions. Introducing two-factor authentication into an organization can be a daunting prospect.

Therefore, what is required is a solution which offers not only security but a minimum of disruption to existing structures. The variety of situations that require strong authentication ought to be mirrored by flexibility and adaptability built in the solution itself.

As shown by the examples of Google, Dropbox and all the others, two-factor authentication is well on its way to becoming a household term.