Two-Factor Authentication

Authentication, Payments

Delego blog: What is two-factor authentication as it relates to payment processing

Two-factor authentication

There are three different factors to two-factor authentication.  These are characterized as:

  • Something I know
  • Something I have
  • Something I am or can do

What is two-factor authentication (TFA)? A combination of any two of the three aforementioned factors. The most common two-factor authentication is the combination of “something I know” and “something I have.”  In the retail industry, many people are familiar with having to swipe their credit card and enter a personal identification number (PIN).

This is a good example of two-factor authentication because the card is something you have and the PIN is something you know. Those of you who travel internationally into the United States use your passport or Global Entry Card (something you have) and a retina scan (something you are) to bypass the lines at US Customs.

The use of a single-factor many times should not be confused with two-factor authentication. The traditional user ID password in combination with challenge questions is really only single-factor authentication used several times. Two-factor authentication must use two distinctly different factors.

Benefits of two-factor authentication

There are obvious benefits to two-factor authentication. Stealing something you have is relatively easy. Credit card numbers are hacked every day from merchant databases or stolen from retailers.  Stealing both the card and the PIN is much more difficult.

The single biggest complaint against two-factor authentication is that it is cumbersome.  In many cases, it forces you to take extra steps in order to authenticate yourself — this is true. Two-factor authentication, by its very nature, will have a second step. If it had only one step, then it would be single factor authentication.

You may have to present yourself so your fingerprint or iris scan can be made. You may have a token that requires a personal identification number be entered. You may have a card and have to apply a PIN. Each of these is an extra step which makes two-factor authentication much more secure. Hackers often gain access to a single factor in a two-factor authentication scheme.

Passwords and card number are often hacked.  It is possible to manufacture cards complete with magnetic stripe based on information gained from a security violation.  It becomes that much more difficult to find the second factor that’s associated with the first factor.  It is unlikely that a manufactured card can be linked to the personal identification number needed to make it work.

Real world two-factor authentication

We use two-factor authentication when we bank.  You would never put your card into an ATM and get money from your bank account without entering a pin.  Without the PIN, you invite someone to empty your bank account. A card and PIN has become so common in many uses, we no longer even think about it.

We need the same attitude when it comes to other forms of transactions such as e-commerce. To protect our identity and therefore, our bank accounts, credit cards, and personal information with only a single authentication factor is just foolish.