The internet has always been a place where you need to be careful about how and with whom you share your personal information. But as we live more of our lives online and more of the services upon which we depend are based on the web, the need to be secure with our critical personal data has dramatically increased (if you need security in the real world, take a look at the Blink Outdoor camera).

It's tempting to think that improving the strength of our passwords would be a sufficient bulwark against online malfeasance, but millions of passwords are stolen every month in data breaches. At this point, it's safe to assume that at least one of your online accounts has been compromised.

Because passwords are how websites verify your identity, and passwords are becoming increasingly untrustworthy, online services are beginning to offer (and in some cases require) another layer of security to access your accounts: multi-factor authentication.

What is multi-factor authentication?

Multi-factor authentication is when a service requires more than one proof of identity to access. An easy analogy is when you withdraw money with your debit card. It's not enough that you have your card. You must also have a four-digit personal identification number to access your cash. This extra layer of authentication prevents would-be pickpockets from cleaning out your bank account after they snatch your wallet.

Likewise, using multi-factor authentication (most websites use two-factor authentication) on your Apple account prevents password thieves from filling your iTunes with Taylor Swift's discography.

person-hiding-pin-at-atm
Source: Wikimedia Commons / 3dman_eu

Multi-factor authentication is a common method of preventing identity fraud in the real world and usually involves having multiple forms of identification. If you've applied for a passport, you had to provide documents to authenticate that you're actually you. Most credit card purchases require you to provide an ID that matches the name on the card. In decades past, businesses checked that the signature on your card matched the one you put on the receipt. In the digital world, ensuring that no one has hijacked your identity can be as important, but the methods used to accomplish that are slightly different.

How does digital two-factor authentication work?

Digital 2FA works based on the same principles that apply in the real world, using the same authentication methods. In general, MFA relies on the combination of one or more of the following factors: something you are, something you know, or something you have. Verifying this information acts as your digital security key to prevent unauthorized access to your accounts.

Something you are

It's becoming common for services (and devices) to use biometric information (an inherence factor in industry parlance) to validate a user's identity. Most Android and iOS phones come with fingerprint readers, and app makers have quickly taken advantage of this to enhance their account security. Facial recognition is also increasingly popular (particularly with iPhones). For the highest of the high-end security systems, governments and industry use the retina as the ultimate in biometric security.

fingerprint-scanner
Source: Wikimedia Commons / U.S. Customs and Border Protection

Something you know

Knowledge factors are likely one of the first authentication factors most internet denizens encounter when establishing themselves online. You probably have a few passwords rattling around in your head for different websites. Likewise, when you signed up for those websites, you probably had to establish and answer security questions like what street you grew up on, the name of your first pet, and the city where your parents met.

Something you have

Many physical and digital authentication systems rely on a physical object, or a possession factor, to ensure security. When getting a passport, it's not enough to know your social security number and vital details. You need to have physical documents. Many businesses issue USB key fobs to their employees to ensure a higher level of security.

What does 2FA look like?

The earliest implementations of MFA involved a knowledge factor and a possession factor. If you wanted to do remote work back in the 1990s or early 2000s, in addition to your login credentials, you would also need a purpose-built piece of hardware called a security token (usually a key fob like RSA SecurID) that would generate a verification code called a one-time password that would give you access to your account.

RSA SecurID key fob
Source: Wikimedia Commons / Raysonho

One-time passwords

One-time passwords are a common type of two-factor authentication used by consumers. The OTPs most of us encounter in our daily lives aren't generated by key fobs anymore. Instead, they're generated by Amazon, eBay, and PayPal and sent to our devices via SMS or email, which act as the possession factor in place of security tokens.

One problem with SMS- and email-based authentication is their vulnerability to hacks. Hackers can take over your phone number by convincing your carrier to switch control of your digits to their SIM card, allowing them to receive your SMS messages. Likewise, if your email account has been compromised via keylogging or phishing, hackers can intercept any OTPs sent to your Gmail.

To circumvent this risk, more people are turning to app-based authentication solutions. When your bank or Amazon create an OTP, they cryptographically combine a secret seed value (associated exclusively with your account) with the time. Authenticator apps like Authy, Duo, and Google Authenticator work by getting access to your seed value from your web service provider and using the same cryptographic algorithm to produce an OTP. As long as you have access to your device, no one can intercept your OTP. Check out what we think are some of the best 2FA app choices.

Push notifications

One-time passwords are the biggest fish in the pond when it comes to consumer MFA, but there are other options. For the past five years, Google and Apple have used mobile device push notifications, eliminating the need for third-party apps and text messages. You need a smartphone with an internet connection, however, so the luddites zealously holding on to their flip phones can't take advantage of this form of 2FA.

Hardware tokens

Many organizations and governments use hardware tokens in their MFA implementations to bypass the cybersecurity issues inherent in these methods. Tokens can take many forms, but they have a cryptographically unique identifier that can be authenticated by whichever service is accessed.

You probably have a hardware token in your wallet right now in the form of a smart debit card. Smart cards can be a good choice for a token because they're cheap to make and easy to carry around. The drawback is that you traditionally needed specialized hardware to access the embedded functionality. However, that issue is being mitigated by contactless smart cards.

Most consumer-grade hardware tokens take the form of a USB drive that needs to be inserted into your computer or mobile phone. These tokens (YubiKey is the most popular lately) are easy to pick up on Amazon or from the manufacturers and work everywhere, from Amazon and GitHub to Microsoft and YouTube.

an assortment of YubiKey key fob security tokens
Source: Yubico.com

The future of hardware tokens is likely wireless. FIDO, the industry group that sets the open standards for authentication on the internet, is pushing for using your phone as the second factor of a two-step verification process. Instead of receiving a passcode via SMS, a cryptographic key is stored on your phone, which then communicates via Bluetooth to authenticate itself.

There's no easy answer to online security

Before the rise of e-commerce, it wasn't that big of a deal if your online accounts were compromised. At worst, the hacker would ruin your reputation by trolling your friends on AIM. Today, that's a different story. If you use the same username and password for every site, all it takes is a data breach at that Gundam forum you've been a member of for 10 years to open yourself up to identity theft.

Password breaches are inevitable, and how you protect yourself is a personal decision. Whether you opt for a password manager, SMS-based two-step verification, or a USB security token, anything is better than going about your business like someone isn't trying to steal your data all the time. Because they are.

The best answer is the one that is most user-friendly for you and incorporates your online lifestyle. If your livelihood is tied to your YouTube or Twitch channel, it's probably a good idea to use more than the standard OTP-based 2FA and invest in a hardware token to lock down your accounts. On the other hand, if you don't buy anything online and the most sensitive bits of information you have online are what you liked on Instagram, you're probably fine without 2FA for now.