The purpose of two-factor authentication is to prevent an attacker from accessing your account if they manage to guess or steal your password.
Two-Factor authentication is based on:
- Something you know
- Something you have
The “something you know” is your username and password.
The “something you have” is your cell phone or token device running the one-time password app.
The reasoning behind this is that it’s possible to steal “something you know” (your password for example) using technology. It’s possible to steal “something you have,” but it needs to be done in person and takes quite a bit of work.
Using two-factor authentication means that an attacker would need to steal your password, and physically steal your authentication device (your cell phone). This makes breaking into an account much more difficult.
Google Authenticator creates a new password (six digit number) every 30 seconds, 24 hours a day, 365 days a year. This is called a “token” The token can be easily verified by the server you’re trying to access, but is completely unpredictable by an attacker.
Alone, neither a password or token is enough to prove that “you’re you” which means that if a virus steals your password and sends it to a hacker on the other side of the world, your account is still safe. Or if someone steals your cell phone, your account is still safe.
In the past, two-factor authentication required a key fob or device, and a proprietary security server, both of which were expensive and required ongoing subscription and maintenance expenses.
However the open-source community has recently developed free versions of these products, making the technology available to everyone. The above screen-shot, for example, it Google Authenticator, which is free, from Google.
If this sounds interesting, and you want to know more, feel free to read the in-depth geeky version.