You’re trying to access Gmail on a friend’s computer. You enter your address and your password, click “Log In,” and wait to see your inbox.
But you don’t see your inbox. Instead, you’re greeted with a message from Google: Multi-factor authentication is enabled. To access your files on this machine, you’ll need to enter a code that’s being texted to your phone.
For many computer users, this seems like an unnecessary annoyance. You already entered your password; Gmail (or any other site) should just work. What’s the deal with multi-factor authentication, and why is it better than the alternative?
It’s a fair question, especially if you’ve ever been inconvenienced by a two-factor login. Ultimately, multi-factor authentication plays a vital role in data security, and it’s far from an optional feature—if you’re not using multi-factor on all of your important accounts, you’re making a serious mistake.
But in order to understand why it’s important—and why it’s better than single-factor authentication—we’ll need to explain exactly what it is.
What is Multi-Factor Authentication (And Why Do Sites Use It?)
To put it simply, multi-factor authentication simply means that users are asked to provide two pieces of evidence proving that they’re authorized to access something. A common example is an ATM machine: You need both your debit card and your PIN number in order to access the system and take out money.
This example helps to explain why multiple factors are so important. A thief could easily steal your debit card, but he couldn’t guess your PIN number. To steal your money, he’d have to force you to give over both, and that’d be quite difficult.
Technology companies understand this concept, which is why multi-factor authentication is a common security control on sensitive websites. Hackers might be able to use brute force techniques or other methods to guess your password, but if they don’t also have your cell phone, they can’t access your account.
There are a few important things to understand about this concept:
It’s inherently more secure than single factor authentication. More controls mean better security, period. While you might be annoyed at the additional steps in your login process, using multiple authorization factors makes your account exponentially safer.
It’s ultimately not as much of a pain as choosing an extremely secure password. If you wanted to keep your account secure without multi-factor authentication, you could choose an extremely secure password and update it every few months—but users simply don’t do that. They’ll keep the same password or make minor changes, which creates a security hazard. Plus, the passwords are still susceptible to hacking, which opens the potential for a serious data breach.
It’s less expensive than some other security upgrades. Companies looking to upgrade their security processes can invest heavily in their internal security controls, but requiring two factors is often the cheapest and most effective option.
The additional factors don’t have to be complex. The best secondary authorization methods are physical, since it’s hard to steal physical items (compared to digital info). As smartphones have become ubiquitous, many technology companies have taken advantage of the trend by using the smartphone as a second authorization factor.
This often means that when you log into your bank, your email account, or some other important site, you’ll be asked to enter a code from a text message. The code isn’t the important part; the fact that you’re holding your phone is the real key.
Even the simplest factors provide additional security. Many banks use a system that tells users to only enter their passwords if they recognize the image on the screen. This is to prevent fraudulent banks from tricking the user into entering a passcode, and it functions as a sort of multi-factor authentication, although in this case, the second factor is dependent on the user.
“Multi-factor” doesn’t just mean two-factor. Sometimes, the terms are used interchangeably, but some multi-factor authentication systems use more than two factors. Your device often functions as one of the factors; the service provider remembers which devices you use, and requires additional proof from new devices.
Multi-factor authentication isn’t perfect. As multi-factor authentication has become more popular, hackers have used more sophisticated methods to break through.
For instance, if a hacker can trick a server into ignoring the secondary factor, they’ll only have to guess a password—simple enough work, provided that the victim’s password is simple. This is why it’s still important to pick good passwords, regardless of the number of controls.
“Multi-factor” doesn’t mean “100 percent secure,” but it’s certainly better than the alternative. Make sure you have the option enabled on any important account, especially credit card sites, banks, email, e-commerce sites, and cloud services. It’s worth a few minutes of extra effort to keep your data secure.