Your credit card and PIN are a good example of two-factor authentication. The credit card is something you have (the first factor) and the PIN is something you know (the second factor).
Getting hold of both factors is remarkably more difficult than just one, and in the case of the credit card you’ll soon notice that it’s gone..
Two-Factor authentication is, simply, having two different factors to prove your identify. The main factors being:
– something you know (a username and password),
– something you have (a physical token, your mobile phone, etc),
– and something you are (fingerprints, retina scan, etc).
Windows does a good job of requesting a username and password for the something you know, SMS2 adds a check for something you have.
You need two-factor authentication because passwords alone aren’t very secure.
People, in general, don’t have different passwords for every website. Some colleagues share passwords with each other, some have the same password at home and their partner and perhaps kids know it. Some people write their passwords down arguing that in the modern world with 20+ different usernames and passwords it’s actually quite difficult.
So well recognized is the problem that Google’s Gmail, Twitter, Facebook, “World of Warcraft” (an online game), and many others have already implemented two factor authentication options so people aren’t using a password alone. Additionally, in the UK organisations have a legal requirement (under the Data Protection Act) that “Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
While this requirement is very much open to interpretation, many official bodies have already clarified their interpretation. Becta, for example, on behalf of the Department for Children, Schools and Families states “Users who are given full, unrestricted access to an organisation’s management information system should do so over an encrypted connection and use two-factor authentication”.
Certainly for UK schools, if not all UK businesses, two factor authentication is very much a “must have”.
