There’s been a lot of hype over the recent few years, I even wrote some articles about incorporating it into various services, but what benefits do you gain from two-factor authentication, and should you actually use it? Lets explore what two-factor is, how it benefits you and the issues you may experience. What Is Two-Factor Authentication (2FA)? Two-factor authentication (usually shorthanded 2FA) is broken down essentially to this: 1) something you know and 2) something you have or can access. 2FA is used in all practical purposes thus far to authenticate a user into some system. The way it works is by requiring the person logging in as a user to not only know the account’s password but also have access to some device or even another account (i.e.: separate email). Without both pieces of information logging in is virtually (though not completely) impossible. “Something you know” amounts to usually nothing more than a password. While it could in theory be even one of those security questions, its not as secure since that information is more readily available on the Internet these days thanks to Facebook and similar sites. “Something you have/can access” in more cases than not references your phone. Google Authenticator is a good example of this, but there are also other methods such as a fob (RSA SecurID uses these) as well as a USB key (YubiKey for example). Benefits to 2FA 1. Better access control. This is usually the reason for people wanting to implement it somewhere down the chain, better knowledge of who is and trying to log in. Some compliances also require 2FA these days for this fact alone. 2. Removes most fake attempts. A lot of “hackers” these days like to make quick work of entry. If it takes them more than a few seconds to get in they will most likely want to skip your system because they want to show off their “skills” to their buddies as quick as possible. Word also spreads that your system is too slow, not worth it, etc… It doesn’t deter everyone but it does a nice job. Cons of 2FA Only 2 benefits of 2FA, why use it? Well, there are more benefits to it but they basically just break down the two points made above to finer detail. There are costs of using 2FA as well, though. 1. More time consuming. While this ties into #2 above, it also interferes with your own time. If you have to quickly log in to fix a (non) critical issue it can be more frustrating than anything. 2. Possible to lock yourself out. If you don’t have a backup plan (which you should) in the event you can’t log in via 2FA, you could find yourself not able to log into the server and not be able to do your work. This is one reason why Google Authenticator provides emergency token numbers. 3. If someone obtains your phone or account you’re back to square one. 2FA was intended to help circumvent false authentication. However, if someone can possess your phone or gain access to your email, then you run the risk again of having compromised authentication which is also a big issue for large corporations. Should I Use 2FA? As always ultimately it depends on your needs. For some cases its over-paranoia more than anything, while sometimes you’re required. My personal way to gauge this type of matter is “if someone I didn’t know logged in to the server, would I truly care?” If its a testing VPN server, for example, I’m less keen to care. If its one of my KVMs then I’m highly concerned and would use it on the KVM server.