Protect Your Data with Two-Factor Authentication

Printer-friendly version

figure holding target

By Sam Horowitz, Chief Information Security Officer

Most information security breaches make use of valid usernames and passwords. The most common way criminals get these user credentials is through phishing. Phishing attacks are becoming highly sophisticated and difficult to identify. Spear phishing attacks are even worse, targeting system administrators and key personnel with access to banking and other highly valuable assets. Phishing and spear phishing attacks are used to gain user credentials, which criminals then use to steal money and data. This isn’t an abstract threat; there have been successful phishing and spear phishing attacks at UCSB.

It may not be possible to stop phishing, but it is possible to make the loss of a username and password less damaging. In addition to a valid username, there are three ways you can prove your identity when logging on to a computer system:

  • What you KNOW
  • What you ARE
  • What you HAVE

Two-Factor Authentication, or 2FA, combines a password, what you KNOW, with a second-factor: what you HAVE or what you ARE.

You already use 2FA every time you use an ATM. To use the ATM, you must KNOW the PIN and you must HAVE the card. Only then can you get your money.

What you ARE calls for biometric authentication. This may be a fingerprint, iris scan, retina scan, or hand geometry mapping. These biometric technologies are often used in physical security, like accessing a protected area of an airport. Fingerprint readers are starting to appear on smartphones and other devices, but they are usually used to provide access to the device. They cannot normally be used to authenticate a remote computer system.

The most common second-factor is what you HAVE. Most of us carry a cell phone, smartphone, smartcard, or a special device called a security token. When 2FA is used, a phished username and password isn’t enough. You must have a device to enable a successful logon. Regardless of the device, a special password is generated that is only valid one time. This is usually a 6 to 10-digit number. It can be sent by SMS (text message), or generated on the device using an app downloaded from the app store. Either way, without the special one-time number, you can’t logon.


Examples of security tokens

Security tokens, like the ones in the photo above, used to be the only way to generate the one-time codes that proved what you HAVE. Today, cell phones and smart phones are commonly used for that purpose. Web sites can send SMS (text messages) with one-time codes to the phones or small applications can generate these codes right on the phone itself. This is the most common way that 2-factor authentication is deployed today.


The Google Authenticator app can receive codes even if you don’t have an Internet connection or mobile service.

You might be surprised how common 2FA is becoming. Some open-source contributors have built a website,, that lists companies and services that support 2FA. Many banks and brokerage firms support 2FA, as do web services like Facebook and LinkedIn. For your protection and safety, you should consider enabling it for your accounts. I have enabled it for mine.

At UCSB, the Secure Compute Research Environment (SCRE) uses 2FA to protect research data while enabling researchers to conduct their work from anywhere in the world. If you are a Connect email service user, you can enable 2FA for your email and calendaring service. Google calls this 2-Step Verification. Of course, once you turn on 2FA it applies to all other Google Apps for Education services, like Google Drive. If you are a calendar-only Connect user, you should not turn on 2FA at this time.

Please consider enabling Two-Factor Authentication for your Connect account if you have a smartphone that is supplied by the University or a personal phone that you use to access your Connect email and calendar. Google will guide you through the process at . If you do choose to enable 2FA for Connect and you run into problems, technical support is available. Navigate to the Connect website, and select Connect Support, or you may call the Service Center at 805-893-5000. You may also start a web chat from the Connect Support page.

It’s up to you to pay attention to where you click to prevent phishing. Even with diligence, a sophisticated spear phishing attack may still be successful. Two-factor authentication can minimize the damage wherever it can be implemented.