Put simply two factor authentication is a requirement to prove who you are twice, before being allowed access.
The most common use of two factor authentication with your bank because you have two factors:
- Your bank – debit – credit card is something you HAVE
- Your PIN number is something you KNOW
In corporate online banking in Canada and the United States and in personal online banking in most of Europe, it used to be quite common for banks to issue customers small USB sized dongles (named “RSA Dongle” “Security Token” “Duo Key” “Titan Dongle”…) that had a tiny screen that displayed an apparently random number that changed ever 30 seconds. That little dongle and the bank both used the same algorithm so the bank would know what the number would be at any given time. The banks webpage would prompt for your username and password (something you KNOW) and the code on that dongle (something you HAVE).
It is now quite common for banks to issue their corporate customers (and some consumers) a USB stick that simply contains a unique number or the smartcard chip that would also be on the users physical bank – debit – credit card. When customers try to sign into the banks website it requires that USB stick to be plugged in (something you HAVE) and the customers username and password (something you KNOW).
Two factor authentication is not a perfect way to stop hackers for instance:
- It is surprisingly quite possible for hackers to gain access to the global telecom texting system and intercept verification texts sent to your cell
- Social engineering has been used to trick people into giving hackers their second factor (i.e. calling a person claiming the be the bank and requesting their code on their RSA dongle, or the code the verification code they just received by text)
- Physical dongles can be stolen or temporarily accessed by a spouse, cleaning staff, co-worker… especially if they are left sitting on a desk
There are some better ways to provide that second factor, like biometrics. For instance it is not uncommon to requiring a user to swipe their fingerprint or look at their camera so their eye’s iris can be scanned. Today we see custom bands and popular fitness trackers (like the AmazFit Band 5, Apple Watch, FitBit or Samsung Fit2) monitoring your unique heartbeat patterns used as a second factor. Your heart beat could be part or your password future.