Back to all blog posts

Two-Factor Authentication

Last month, I wrote about my family’s newborn.  I discussed our decision regarding keeping or disclosing information about our child on social media and when one option is better than the other for privacy.  This month, I wanted to take a look at something related to our child, security and authentication.  Specifically how the hospital used multiple forms of two-factor authentication to make sure newborns, and their parents, were matched.

Two factor authentication provides access to various resources based on providing at least two types of information to prove you are what you say you are. These factors come from different types of information such as:

  • Something you know – such as a password or your mothers maiden name
  • Something you have – such as a keycard, a random number that gets generated, or even a digital certificate
  • Something about you – biometrics including fingerprints, facial recognition, retina scans
  • Where you are – such as the country or room you are in or the specific computer you are using

Using the same factor twice, such as password and mother’s maiden name, does not count. You must use factors from two different categories.

After our child was born, they were given a number of ankle bracelets.  The first band had information such as mother’s name, date of birth, and a bar code that could be scanned to verify this information.  A similar band was also given to my wife, which was scanned before any medication was given, such as something to reduce pain. Both my wife and child were in the same room, so there were actually three factors here: something about them (recognition by the nurses and doctors from previous visits), something they had (the bracelets), and their location (the room they shared). (For discussion purposes, let’s equate their names to user ids.)

The coolest thing was what the hospital called “Hugs & Kisses” bracelets for both mother and newborn.  Each bracelet has an RFID chip inside that recognizes its partner.  When the mother and child are put together, a small tune is played by the bracelets, showing they are a matched pair. This is basic two factor authentication.  The first factor is the mother and child, the information being their identities.  This is something known about them, being the matched last name and something they have, the bracelets.  They match them up and confirm that the child is in the correct room with the correct mother.  There are of course examples of two-factor authentication everywhere, some of which include:

  • Banks or credit card companies send emails or text messages or makephone calls to confirm large or unusual purchases. If you live in Maine and someone buys something with your card in Texas, your bank may block this purchase until you verify it is you. (The first factor is the card, something you have, and the second is the method by which the bank contacts you, something about you)
  • Many online services will confirm your login’s authenticity by emailing you. This confirms that you are the person logging in if you are coming from a different IP address or a different computer. (The first factor is your password, something you know, and the second is the method by which the service contacts you, something about you)
  • Online gaming companies, like Blizzard, offer “authenticators” that provide an eight digit code that is needed alongside your usual password. This code changes every 30 seconds, ensuring security. (The first factor is your password, something you know, and the second is the frequently changing code, something you have)
  • The use of biometrics, alongside a password or other authentication, is also an example of two-factor authentication. Fingerprints for example.

Overall, the use of two-factor authentication may cost you or your customers some convenience, but it increases security substantially.  In the end, would you rather deal with five more seconds for better security, or handle a breach of security?  To me the choice is clear.