I like the simplicity of the example on Wikipedia for two-factor authentication:
To provide an everyday example: an automated teller machine (ATM) typically requires two-factor verification. To prove that users are who they claim to be, the system requires two items: an ATM smartcard (application of the possession factor) and the personal identification number (PIN) (application of the knowledge factor). In the case of a lost ATM card, the user’s accounts are still safe; anyone who finds the card cannot withdraw money as they do not know the PIN. The same is true if the attacker has only knowledge of the PIN and does not have the card. This is what makes two-factor verification more secure: there are two factors required in order to authenticate.
So if the banks think it’s necessary, why don’t we? I certainly do. I no longer accept single forms of authentication in anything related to communication systems. Sadly that can be a tall order. I recently found a very promising online finance application (who will be kept anonymous for this purpose because they really do hold allot of promise) that not only had not implemented two-factor authentication but had “no foreseeable plans” to do so. Ouch! Am I putting my financial data there? No thank you. And neither should you. But finance aside, I see it all the time on computers, phones, email, websites…The list goes on. In fact, many people don’t even enforce a single form of authentication. Does your phone have a password on it right now? What about your laptop? Desktop at home? If you answered no to any of those, you need to make that change a priority in your life.
It would be redundant for me to list how badly this could end for you. I have friends, relatives and strangers tell me all the time they lost money to fraud. You’ve heard the stories to. You know that somehow, some way you’ve linked your bank account to some device that communicates online. Right. Now go add a password. And if the system you’ve chosen doesn’t also allow you to enable two-factor authentication, change systems. If we don’t tackle this head on, we’re continuing to feed the everlasting insurance payback circle for which we’re all accountable for. So make it your duty to take the necessary steps to ensure your side is as secure as practically possible. Like most things, there clearly isn’t a single solution but I’m referring to a new minimum that is long overdue and it’s time to force it through.
Whitson Gordon published an article about it a little over a year ago on LifeHacker with a decent list of service providers having already adopted the technology. The article also does a good job of explaining the functionality in lay terms.
The Globe & Mail also published an article in which they list a few Canadian banks that have adopted two-factor authentication.
Both Google and Microsoft as well as most large players in email, storage and otherwise cloud solutions encourage it. Here’s a great site that is attempting to keep an updated list of providers adhering to multi-factor authentication.
But having it available and even encouraging it isn’t enough in my opinion. And that’s where we come in play. All these entities rely on something we have all come to know as demand. If we don’t ask for it…