In security-critical fields of application, like online banking, it is well known: the two-factor authentication. In order to gain access to a resource, the user must identify themselves with a password and an additional factor. Mostly, a one-time PIN will be retrieved, which the user receives through SMS. In other situations, a specific piece of hardware, a so-called token, is employed which is either connected to the computer or communicates directly with the authentication server.
But why is this effort? An elaborate password, which is regularly changed, must offer sufficient protection! – Far from it. Other than the fact that few users use an elaborate password and even fewer change it regularly: you can hardly rule out that someone can look at the input over your shoulder. With brute force methods, an attacker can, in some cases, try thousands of passwords in a very short time. More and more subtle phishing attacks bring innocent users to unwillingly reveal their passwords to the attacker. Malware infests computers and records keyboard input or network traffic. But even the most careful user with the most protected computer may not be lulled into security. Hackers attack servers of companies regularly. Even serious businesses like eBay and Dropbox were victims of password theft.
When your password is in the wrong hands, the additional authentication factor becomes an obstacle, as long as the attacker doesn’t have access to it. This is why the second factor must absolutely be outside of the computer through which the login is fulfilled. Possibilities, for example, are a token or a mobile phone. The advantage of a hardware token as a second factor is clear, that the user just has to press a button on their token to login. That’s how they identify themselves and gain access to the network. Along with that, as usual, the username and password must be entered as well. With these methods, it’s especially hard for hackers to gain access to internal data, because along with the password, they must also be in possession of this token.
This authentication process is the choice for the user to get the least amount of extra time possible. Otherwise, they wouldn’t accept a two-factor authentication process. Through the use of a hardware-token, this little amount of extra time is achieved. The token is handy and easy to use. The user can carry it without a problem on their keychain and bring it anywhere. Every now and then the token has to be charged; but otherwise the user authenticates with just the push of a button on their token. This is how they gain access to the network rather comfortably from all over the world.
Despite the additional time logging in and the extra cost: as soon as sensitive data comes into question, the sacrifice of two-factor authentication is no longer an option. More and more companies have understood this and protect access to their services or internal company network with a two-factor user identification process. Prominent examples are Google, Microsoft, Facebook and Dropbox.