Two-factor authentication (2FA) has been around for quite a while, and is a part of an IT pro’s toolkit. It involves the use of two methods, or factors, of proving identity.
We’ve all logged in to a resource using a password. That’s an example of a single factor. In some cases, you’ve entered a password, only to have the resource you’re logging in to send you a message via an app or through a text on your phone. You then have to enter that message to complete logging in. That’s an example of a second factor.
The reason why 2FA is everywhere is because it improves security for two reasons:
- Hackers need to steal more than just your password to take over your identity. They would need to grab and use a second factor, which significantly raises the bar when it comes to securing a network. 2FA can also help with ransomware, and curtail lateral movement through networks.
- 2FA can help slow users down a bit and think things through before logging on to a resource.
Why Is It Important to Learn About Two-Factor Authentication?
People who hire IT pros inevitably value two things when it comes to 2FA: your ability to explain what it means to end users and your ability to implement and integrate it into IT environments.
- Your ability explain 2FA: IT pros must be able to explain this concept to end users as a technical support specialist or help desk technician. Organizations need you to help explain how 2FA works to end users who are new to the game or troubleshoot when things go wrong. That’s why the CompTIA A+ (220-1002) exam includes objective 2.3, which covers 2FA as a way to secure wireless networks.
- Your ability to implement and integrate 2FA: IT pros must be able to integrate 2FA into IT environments, including cloud, data center and installed environments. If we live in a cloud-first, hybrid world, then 2FA is the de facto way to secure that world. Therefore, you’ll find that understanding 2FA is required throughout every CompTIA certification. CompTIA Security+, for example, includes it in objective 2.4, which requires you to understand 2FA as part of implementing authentication and authorization design concepts.
The Three Factors of Authentication
When it comes to authenticating a person, device or process, IT pros have three choices. These factors are the three “somethings,” as shown below.
Figure 1: The three factors used in an authentication
Whenever you use more than one form of authentication, you are using multi-factor authentication. The table below contains practical examples of each factor.
Something you KNOW
Password, pass phrase, personal identification number (PIN), information unique to two parties
$tr*nG&@s)w0rd, Wi-Fi SSID
Something you HAVE
Physical (hand-held) token, smart card, code sent via text, code sent via dedicated application
RSA SecurID Code Generator, Token received via the Authy app
Something you ARE
Fingerprint, retinal eye scans, iris scans, voice print, face print
Fingerprint scanner, biometric passports
At this point, though, I’ll bet you have at least one question on your mind.
Why Only Two Factors?
The main reason why the IT industry uses just two factors is that implementing all three remains too costly in most situations. Plus, using all three can slow things down a bit too much. So, most of the time organizations use only two factors. It is well established that secure usage of 2FA creates a situation where people can get their work done securely.
Which Two Factors Should You Use?
It’s possible to use any two of the three factors. Most of the time, organizations use a combination of something you know, and something you have, as shown below.
Figure 2: The two most often-used factors in 2FA
It’s important to note that you can’t implement two of the same factors and still call it 2FA. If you require someone to enter two passwords to log in, you’re really not using 2FA. You’ve got to use at least two of the three available options.
What Does 2FA Do For Us?
The banking industry has used 2FA for decades. Whenever you go to the ATM to take out some cash, you usually need to provide two things:
- Your bank card, which is something you KNOW.
- A personal identification number (PIN), which is something you HAVE.
The IT industry in general has taken this lead. For example, most networking devices, from switches, to routers, and firewalls, require 2FA. That’s why the CompTIA Network+ (N10-008) exam requires you to understand it.
2FA Throughout an IT Pro’s Career
I’ve already mentioned how tech support and security workers use 2FA every day. 2FA is one of the primary methods used to secure an organization’s cloud presence. For example, CompTIA Cybersecurity Analyst (CySA+) objective 2.1 lists 2FA as a key solution for managing infrastructure.
As a security analyst, you will often use vulnerability assessment tools. As you can see below, one of the more common things these tools look for is the presence of 2FA.
Figure 3: A vulnerability assessment of a cloud implementation
In Figure 3, you can see that 2FA isn’t configured, yet. This is why more advanced certifications, including CompTIA Linux+ (objective 3.3), CompTIA Server+ (3.3) and CompTIA Advanced Security Practitioner (CASP+) (objective 1.5) require IT professionals to understand how to use 2FA in various environments.
Let’s Take a Look: An Applied Example
Figure 4 below shows an example of a typical 2FA session. It shows where the user, James, logs in from a computer named “parrot” to a remote server named “Jacob” using the Secure Shell (SSH) protocol.
Notice that when James logs in to remote computer (Jacob – the computer with the IP address of 10.0.0.1), a subtle thing happens.
The remote computer first requires a verification code, circled in red.
Figure 4: Logging in using 2FA
This verification code isn’t a typical password. This session is using SSH public key authentication, so no password is necessary. That verification code is a second factor generated by Google Authenticator, a common 2FA service. This service has been installed on the system named Jacob.
Once it senses someone wants to log in, the server named Jacob generates a token, and sends it to the mobile phone of the user who is attempting to log in. That code is the six-digit number that is shown in the picture above.
Once the user enters the code, the user can then log in.
Want to Learn More About 2FA?
This is just a simple example of 2FA. I encourage you to learn more about how 2FA works. Use CompTIA CertMaster Learn + Labs to get deep into 2FA. Or, create a few virtual servers in the cloud using Microsoft Azure, Google Cloud or AWS. Installed virtual environments such as VirtualBox and VMWare are also available. Start playing around with this technology on Windows, Linux and networking systems, and you’ll become a 2FA expert who can help organizations of all sizes improve their security.
Ready to get started? Sign up for a free 30-day trial of CompTIA CertMaster Learn + Labs for many of the CompTIA certifications that cover two-factor authentication. Don’t see your certification? Check back in the future, as more are added regularly.