It’s not actually very easy to prove who you are, especially online, and especially for services such as banks.
If you turn up at a bank branch you may need to produce a Driver’s Licence, Passport or similar document that proves your identity. But on a web page you generally only need a username and password.
And let’s face it, those things aren’t too hard to get hold of, guess or learn through trickery.
Quick. Check now to see if you have one or more passwords on a Sticky on your monitor.
Something you know
2 factor authentication is a way to add a unique proof for an online user. It uses something that only you can know, and something that only you have.
For example, I do some banking with RaboDirect. When I signed up they provided me with a gadget called a Digipass that I need to have handy to log in to my account.
The Digipass is about half the size of a small cellphone, with a number pad and a small display screen.
When I visit the RaboDirect login page I must enter my customer number. Then I also need to enter part of the serial number from the Digipass.
A determined visitor to my home could obtain both of those pieces of information without too much difficulty.
But they wouldn’t do any good, because of what comes next.
Something you have
To log in to my bank I need a password. But I don’t enter it on the bank’s login page. Instead I enter it into the Digipass and press a key on the device.
The Digipass screen then displays a 6 digit unique code that is valid for only a brief time. After I enter the unique code on the web page I’m able to log in.
The Digipass is the second factor in the authentication process.
I also need the Digipass for any major transactions, such as transferring money out of the account. Before such transactions are completed I must follow the online instructions, entering my Digipass password and pressing certain keys to generate a unique 8-digit code that I then enter online.
RaboDirect explain more about their system in their FAQ.
Security is increasing everywhere
RaboDirect aren’t the only website to use 2 factor authentication, but they’re the ones I’m most familiar with.
One of my other banks sends an SMS message to my cellphone with a code to enter online to confirm large payments. Google Apps are also using cellphone messages for authentication, as explained in A more secure cloud for millions of Google Apps users.
Expect to see 2 factor authentication more often and in more places. It adds security to sensitive transactions and makes it much harder for the bad guys to cause us problems.
Written by Miraz Jordan for, and reproduced from CommunityNet Aotearoa Panui, October 2010. This article has been modified for publication here.