Why two is better than one… (with authentication anyway)

The traditional form of authentication has almost always been the use of a password. However, basic password security measures (one-factor authentication) aren’t as secure as they used to be. Even if they follow all the complex password rules and contain at least eight characters, one number, mixed-case letters, and a non-alphanumeric character, internet attackers can now crack them at alarming rates.

So, if a robust password no longer provides the security we need what does?

Put simply, two-factor authentication (2FA) is one of the best things you can do to ensure that your digital accounts don’t get hacked.

What is two-factor authentication?

Two-factor authentication, also known as 2FA or two-step or multi-step verification, is an additional layer of security to any type of log-in which requires more than just one identifier. It uses a second factor to double-check that your identity is legitimate.

It requires two of a possible three identifiers:

  • something you know (such as a password or pin)
  • something you have (such as a hard token, mobile device, or smartcard)
  • or something you are (a biological factor)

Ok, so let’s talk about the authentication factors in a little more detail.

1. Something you know

When you go to sign in to your account, you typically receive a prompt to input your username and password – this is something you know. This is the first layer of authentication.

As we mentioned above, passwords alone can no longer be relied upon. Hackers can crack even the lengthiest and complicated passwords in a matter of minutes. Plus, how do you know that your password hasn’t been stolen by someone peering over your shoulder? And, that’s not to mention the fact that passwords are often duplicated by users for several accounts given their difficulty to sometimes remember.

This said, strong passwords are still vitally important and we would always recommend changing them regularly and certainly not re-using them across multiple accounts.

(For more information on how to create secure passwords, read the blog by our partners at Sophos.)

2. Something you have

With two-factor authentication, a second identifier is also required. Think of it as ‘the double-checker’! The most common combination for two-factor authentication is currently something you know (as explained above) and something you have. The ‘something you have’ relates to something you might have in your possession. For example:

  • A traditional hardware token
  • A mobile phone
  • A smartcard – smartcards like the NHS smartcard can act as a unique identifier (read more about 2FA using the NHS smartcard)

The something you have can be either certificate or one-time password (OTP) authentication based. The certificate based authentication leverages a smartcard – effectively a password protected memory card with a secret (or secrets) stored on it.

The alternative to the smart card approach is the one-time password (OTP). This is usually a unique 6 to10 digit code that is generated by the system for temporary use – one-time only. It can be delivered via a traditional hard token or mobile phone either by way of an app (known as a ‘soft token’) or SMS. With OTP, there’s usually a static element (your password/PIN) which is used in conjunction with the OTP.

3. Something you are

This authentication factor is you. It is a biological factor such as face or voice recognition, fingerprint, or retina scan (all typically known as biometrics). Are you picturing Hollywood movies yet? Yes, this type of authentication can be very effective, but it can also be very expensive and hence, not many organisations currently use this type of authentication.

Why implement two-factor authentication?

Two required forms of verification pose a much greater challenge to today’s hacker. It isn’t a complete cure-all, but it is much harder for the hacker to obtain both authentication factors which, in turn, drastically reduces the chances of phishing, credential exploitation, and other attempts to gain access to your accounts.

Where can I start using two-factor authentication?

ITHealth offer two-factor authentication to NHS organisations as part of our secure remote access solution – Secure-IT. However, there are lots of popular online sites that have also started to use it. Here’s a list of just a few, including details of how you can implement it:

  • Google / GMail – Google’s 2FA sends you a 6-digit code via text message to input every time you sign in from a new device. You can enable Google’s 2FA here.
  • Twitter – Twitter’s 2FA sends you a 6-digit code via text message when you attempt to log-in from a new machine. Read more about Twitter’s log-in verification here.
  • Facebook – Facebook’s ‘Login Approvals’ sends you a 6-digit code via text message for log-ins from a new machine. Check out the Facebook blog for more information.
  • LinkedIn – LinkedIn’s 2FA sends you a 6-digit code via text message when you attempt to log into a new machine. Check out LinkedIn’s blog for more details.
  • Paypal – Paypal’s 2FA sends you a 6-digit code via text message when you attempt to log into a new machine. Read more and enable it here.

For a more comprehensive list of all the services that offer two-factor authentication, visit

As we’ve said, two-factor authentication isn’t completely hacker-proof, but it is definitely a step (or should that be two steps?!) in the right direction. Implement it wherever you can to keep the hackers at bay.

Good luck authenticating!