TWO FACTOR AUTHENTICATION (and why you should care)

You may have heard the term “Two Factor Authentication” or seen it as an option while logging into one of your many web based services like email or social media, but like most people, you probably clicked the “Not Now” or “Remind Me Later” link and moved on with your life.  I am here to tell you that you are missing out on the best and easiest opportunity to secure your account that is currently available from most of the major online services.

Two Factor Authentication does not require you to provide the answers to twelve security questions you can’t remember (I still don’t know what I answered for “who is your favorite manager at a previous job?”) nor do you need to have a biometric scanner for your fingerprint or retina (I have a band aid on, I guess I can’t log into my bank site…).  Rather, what Two Factor Authentication (“TFA”) does, quite simply, is send you a text.  That’s right, a simple SMS text message to your cell phone.  The beauty of the system is what the text contains.

When Google initially offered me TFA for my personal Gmail account, I did what many people do and clicked “Not Now” because I could only imagine how difficult it would be to set up and use.  Boy was I wrong.  The entire process took about two minutes, including receiving the promised SMS text message.

So, how does it work?  Generally speaking (each service provider implements it a little differently), you enable the TFA on the security settings of your account and then provide a telephone number capable of receiving text messages.  The service then authenticates you, for the purposes of initially setting up the TFA, by sending you a text with a code and asking you to enter that code into the computer on the setup screen.  Now that the service know you are actually in control of both the account (hey, you logged in right?) AND the cell phone (you provided the text message code), the service knows that you are, well, you!  As a result, your use of the service on this particular computer is authenticated.  That’s it.  Seriously.  The two factors are (1) you knowing the account password, and (2) you providing the code sent in the text message.  Brilliant!  Now, when you are at a different computer like the one at your ski lodge retreat for a week of well-deserved vacation (OK, more likely at the office on your work computer) and you try to log on to the service, the service will notify you that TFA is enabled and to please enter the code being texted to you along with your regular account password.  Before you finish reading the page, the code has arrived on your cell phone, you enter it on the computer login page and you are now authenticated on this computer as well!  Lather, rinse, repeat.  Any computer you use to log into your account that is not already authenticated will trigger a text message to authenticate.  You can authenticate as many computers, tablets, and mobile devices as you like.  If you want to be extra secure, you can tell some services that you want to authenticate via text each time you log in rather than only once per computer. This is useful if you are logging in from a hotel business center computer or a similar shared computer scenario.  That’s it.  Pretty easy, right?

Now, for those of you reading ahead (and thanks for sticking with me here!), what happens if you get a TFA text message when you are standing in line at the grocery store?  Someone or something is trying to log into your account from a machine that is not authenticated, AND YOU KNOW ABOUT IT!  No more “12 million accounts were hacked, you should probably change your password”…  You know for a fact that someone tried to log into your account from a non-authenticated device.  Maybe it was your significant other accidentally trying to see what you have planned for your anniversary.  Maybe it was a 17 year old in Europe looking for a few thousand easy email accounts to send SPAM from.  It doesn’t matter.  Without the code that was texted to you at the number you provided, the service will not allow the user to log in even if they know your password.  Let me repeat that.  Even if they know your password!  Remember, it’s two factor authentication, not “one and a half factor.”

OK, let’s sum things up here.  Use a good strong password.  Something with capital letters, numbers and symbols (!@#$%^& etc.).  This is always sound advice.  But let’s be real, stuff happens and maybe you really want to use “Password123” or perhaps you have a habit of leaving your password on a yellow sticky stuck to the monitor or under the keyboard.  Enable TFA.  Even if your password is compromised, and based on recent news stories it will be, your account is still safe.  Plus, who uses all of their text messages they get from the cellular company anyway?  They are yours, use them.

If you have any questions about TFA, how to use it, or if your service provider offers it (most do), email Peak at or call 602-354-8950.  Happy Two Factor Authenticating!

ABOUT Peak Forensics: Peak Forensics is a full service Computer Forensics, Electronic Discovery and Consulting firm in Phoenix, Arizona.  Peak Forensics fills a need for experienced, professional computer forensics services, client centric electronic discovery and seasoned testimonial and trial consulting services.  Peak’s CEO and founder, Jefford Englander, has been actively participating in computer forensics and ESI investigations for 15 years and has a background in local and federal law enforcement and the civil litigation realm.  From ESI collection to forensic analysis, hosted review, reporting and expert testimony, Peak can lead you to focused information.