The history of two factor authentication

Despite being an occasional annoyance, two factor authentication has been developed to optimise personal safety while online

Saturday, 15 August, 2020

In the internet’s formative years, account security generally extended no further than a basic username-and-password combination.

As a result, the internet’s formative years became synonymous with identity theft, online fraud and compromised accounts.

It soon became obvious that using ‘password’ as a password wasn’t much of a deterrent to criminals and impersonators. Yet in 2020, it remains the fourth most-used login string.

(In case you were wondering, the three most common passwords are 123456, 123456789 and qwerty. If you’re using any of these for any online accounts, change them immediately.)

Recognising that a single password couldn’t offer comprehensive protection against the unwelcome advances of criminals, two factor authentication (also known as 2FA) arrived.

This introduces a second layer of security, meaning a chancer sitting down at an unattended laptop needs to do more than simply guess (or find) a password to gain access to an account.

It’s especially important in the age of auto-filling data fields and bookmarks, where web browsers automatically populate login fields with the correct credentials.

Max factor

Two factor authentication combines two different methods of logging into an account, to optimise security.

Pioneered in the 1960s when networking was taking its first tentative steps towards mainstream adoption, many consumers first encountered it via chip-and-PIN card payments.

By the mid-1970s, smart cards had been invented, and a four-digit PIN code provided an extra layer of security during transactions.

This adheres to a founding principle of 2FA – it combines something you have (the card) with something you know (the PIN code).

It may seem surprising that as recently as 2006, credit or debit card payments could be accompanied by a signature rather than a PIN code.

Ironically, the post-lockdown drive towards contactless payments is taking us back to that simpler age, albeit with £45 purchase limits and periodic requirements to enter your PIN.

Something old, something new

On web-enabled devices, two factor authentication has become increasingly common following a spate of press coverage surrounding cyber security in 2012.

Online 2FA still uses conventional account name and password combinations in first instance.

A second form of identification is then requested, including:

  1. A physical object like a card reader, which were popular with banks in the 2010s.
  2. A numeric PIN code entered into a web browser window, following the initial username-and-password login stage.
  3. Alternative additional information entered as second-stage login credentials – most commonly your mother’s maiden name.
  4. Biometric data, typically a fingerprint scanned from a compatible laptop or mobile device.
  5. A randomly-generated passcode, sent to a smartphone or email account and programmed to expire after a few moments.

The last two examples reflect how smartphones underpinned 2FA’s widespread adoption in the last decade, giving consumers an easy way to confirm ID through SMS codes or fingerprint recognition.

And while any account could still theoretically be compromised, 2FA has prevented innumerable instances of fraud and loss.

Despite the momentary inconvenience it causes when accessing personal information online, its merits seem more compelling than ever.

Neil Cumins author picture


Neil is our resident tech expert. He's written guides on loads of broadband head-scratchers and is determined to solve all your technology problems!