Two-Factor Authentication Increases Your Online Security

by Raymond Poon

What is two-factor authentication?

It means users, in addition to their password, need one of the following to log in a system or to access a network service:

  • One form of tokens provided by the service provider (e.g., a key fob or a smart card)
  • The output of one form of biometric scans on finger or irises, or a biometric analysis on voice.

Why two-factor authentication?

To overcome the following vulnerabilities of using password as the only means for authentication:

  • Users tend to choose passwords that are easy to remember. As a result, these passwords are equally easy to be cracked by brutal force.
  • Users often fail to conceal or protect their passwords properly (e.g., writing their passwords on a piece of paper, sharing passwords among others, entering passwords to a non-secured compute which has keyboard logger software secretly running on it to capture the password, entering password to a computer while others nearby are able to see it, etc)
  • Users seldom or never change their passwords. This allows hackers ample chances and time to crack their passwords.

Does two-factor authentication really necessary?

Probably not unless:

  • It is a strategic move or the situation warrants.
  • Total cost of ownership of two-factor authentication (including all the existing and additional costs of software, hardware, and support) can be justified. After all, password support is still required and its support effort may not be reduced with the introduction of yet another factor of authentication.
  • The interpretabilities and the user acceptance of different or same tokens among different systems and services will not become a hassle to users (e.g., users need not carry too many tokens or manually input too many characters during authentication of a token).
  • Your systems or services cannot support or cannot be modified to support passphrases to log in. If they can, paraphrase should be considered first before other form(s) of authentication. However, the passphrases, like passwords, must also need to be changed regularly (Note: a passphrase is a phrase or a sentence with or without punctuations that are often up to 100 characters in length. The latest version of Windows supports a 127-character passphrase.)

Tokens and Biometric Systems, which one is better?

The biometric scans/analyzers, such as: scans of fingerprint or irises, analysis of voiceprint, etc, attempt to prove "something one is" while tokens, such as: key fob or smartcard, attempt to prove "something one has". The accuracy and the reliability of the formers are still unsatisfactory or even questionable when compared to the latter. It had been demonstrated in 2002 by Professor Tsutomu Matsumoto, a cryptographer in Japan, that fingerprint can be collected by immerging the finger into free-molding plastic to make a plastic mold. He then melted and poured gelatin (the substance which makes jellied soups and desserts) into the plastic mold and let it harden. The fingerprint imprinted on the solidified gelatin can fool the fingerprint detectors for about 80% of the time. Nor have the reliability of the other forms of biometric systems been shown to be comparable to or better than that of the fingerprint reader. In particular, biometric systems are not suitable for supporting persons with multiple roles requiring different security levels of authentications on the same system or for the same service. According to the CSI/FBI survey, the adoption rate of biometric systems is about 10% and has been flat for the last several years. Therefore most experts in general agree that some form of physical tokens will be much more widely deployed than the biometric systems in most organizations.

Common Forms of Tokens

Key fob; smartcard; random codes generated from an algorithm running on a computer, PDA, smartphone, etc.; and codes pre-printed on a card, etc.

How Do these Tokens Work?

There are codes (which can be in the form of ID, access code, electronic certificate, etc.) being either statically stored/printed on these tokens, or dynamically generated by using a mutually agreed algorithms running on a computer, PDA, smartphone, or the processor inside the token. Some of these codes are made time dependent (i.e., only valid at certain period or only at current login time) and/or can only be used once. These codes are either manually entered or read automatically from the tokens by the authentication software and then sent to the authorization server for validation. If the codes sent match with those stored on or those calculated by the authentication server, then the authentication is successful and the access granted.


Two-factor authentication should be considered for transactions that need high assurance of the authentication. However, we should access the cost and benefits and the impact to user convenience before implementing it.


  1. Identification Authentication

  2. Electronic Authentication Guideline
  3. Expert advice: Does two-factor authentication protect you from hackers?,289483,sid14_gci995757,00.html
  4. Computer Security Institute