You are here: Home page > Computers > Security tokens

A general illustration of computer security: a padlock sitting on a computer keyboard.

Two-factor authentication

Every time you leave your home, you're probably very careful about locking all the doors and windows, maybe even switching on an intruder alarm if you have one. You can't be too careful, right? But how careful are you when it comes to securing your computer? Do you take pains to choose complex passwords and not write them down where other people can find them? Even if you do, isn't it just possible someone else could hack into the systems you use and do all kinds of damage? Now more and more people are moving their lives online, banks, ecommerce (shopping) websites, and others are having to take security far more seriously, no longer relying on simple passwords to keep intruders at bay. One increasingly popular measure is called two-factor authentication, and it's the online equivalent of a combination lock whose code keeps on changing. How exactly does it work? Let's take a closer look!

Photo: Your computer and the online systems it gives you access to may be one of the most valuable things in your life, but how secure is it really?

Sponsored links


  1. Why online security isn't always secure
  2. What is two-factor authentication?
  3. What is a one-time password?
  4. How are one-time passwords generated?
  5. Who is using two-factor authentication?
  6. Find out more

Why online security isn't always secure

Most people now access all the important areas of their life—banking, shopping, insurance, medical records, and so on—simply by sitting at their computer and typing a username and password into a website. Getting access to something this way is called one-factor authentication, because you need to know only one thing to get into the system: the combination of user name and password is like a single key to a single lock. In theory, this kind of protection should be reasonably secure; in practice, it's less and less trustworthy. Many people choose trivial passwords that are easy to guess (like their partner's or child's name, their own name, or even the word "password"). Or they write passwords down on sticky notes stuck to the computer or let their web browser store passwords for them. Lots of people use the same username and password across many different websites (so a rogue user who steals your details from one site can immediately get access to any other site you use). If you regularly use cyber cafés, or computers at colleges or other public places, there's a risk you could inadvertently store your password on a machine someone else will use or forget to log out of a secure site.

Sponsored links

Even if you're sensible with passwords, you're not necessarily as secure as you think: your password can be stolen in all kinds of ways you'd never even notice. It's possible for clever hackers to write keystroke logging programs that sit quietly on your computer remembering all the keys you press, including any passwords you enter. Viruses, worms, and other kinds of malware (malicious software) are often rumored to install keystroke loggers like this on people's computers. In theory, passwords can also be stolen in transit as they're being sent from the user's web browser to the server that checks ("authenticates") them—something known as a man-in-the-middle attack; malware installed in your browser can capture passwords even more easily (that's known as a man-in-the-browser attack). If you're using a typical Wi-Fi (wireless Internet) setup, everything you type into your browser is broadcast publicly for a distance of up to 100m (over 300 ft) as it travels through the air to the router that takes you online. If your system doesn't use proper encryption, it's possible (in theory at least) for any sensitive information going back and forth between your computer and the Internet to be captured by an electronic eavesdropper. And since passwords are often relatively trivial, and computers are becoming faster and ever more sophisticated, it's possible for hackers to use completely automated methods to get access to online systems. In one well-known technique known as a dictionary attack, a hacker can program a computer to log into someone's system by brute force, trying a list of common words (or names) as passwords, one after another, until it hits the right one by chance.

Banks and other organizations prone to cyber crime make life harder for online intruders and thieves by requiring users to enter more pieces of information at signon. You might have to enter not just a username and password, but also a memorable piece of information such as your date of birth, the town where you were born, your pet's name, or whatever it might be. That's more secure, but it still doesn't overcome problems like keystroke loggers, insecure Wi-Fi, man-in-the-middle, or dictionary attacks.

What is two-factor authentication?

... at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google accounts use two-step authentication to lock down their services

The Register, 2018

In the real world of bricks-and-mortar, banks try to secure their valuables by putting them in vaults that have multiple security devices. A safe might need two different sets of keys to open it, for example, with each one held by a different, senior member of staff. Or it might have a timelock that means it opens only between certain hours of the day, whether you have the right keys or not.

The online equivalent of this is called multi-factor authentication (MFA) and it means you have to pass distinctly different types of security check to get access to a computer system. In theory, just as you could have a bank vault secured by any number of keys and other security devices, so you could have an online bank or shopping website secured by lots of different security checks. In practice, most online systems that use this extra security currently require you to sign in with a username and password and satisfy one extra security check as well. Since two separate checks are involved instead of the normal one, this is often called two-factor authentication (2FA or TFA) or two-step verification.

What is a one-time password?

So what's the extra check? Where signing into computer systems and websites is concerned, it usually involves entering a disposable password, which is valid only once and changes every time you sign-in. This is called a one-time password (OTP) and a new one is generated fresh each time you access the system. Typically a one-time password is a series of meaningless numbers or characters or it might be a half dozen or so short, random words. How do you know your one-time password if it keeps changing? It's not something you're expected to remember: it's generated automatically and sent to you by some method other than online transmission. It might be sent to your cellphone (mobile phone) as an SMS text message; it could be generated by an app running on your phone or by a dedicated, handheld electronic gadget called a security token; it might even be printed out and mailed to you on paper, the good old-fashioned way.

The Microsoft Live sign in screen with its single-use password option.

Photo: Microsoft Live now gives you the option of signing in with a disposable, one-time password (or "single-use code," as they like to call it). How does it work? If you're using a public computer, you might prefer not to type in your normal password in case someone is looking over your shoulder (or you're worried about key logging). If you've registered your cellphone number with the site, you can click a link to have a single-use code sent to your phone, which you then enter in place of your password, as shown here.

Unlike a conventional password, which is "something you know" and remember, your one-time password comes from "something you have" and keep, such as a text message, a security token, or a piece of paper. (In books and articles about computer security, you'll often see the two different "keys" that unlock a system protected by two-factor authentication referred to as "something you know" and "something you have.") Usually you have to type the one-time password into the website or computer you're trying to access, though some security tokens use wireless technologies (such as RFID) or plug in to computers via USB sockets, automatically transfer a one-time password without your having to bother about it, and grant you access that way; a plug-in token like this is a bit like a computerized key that unlocks the door to your system and is sometimes called a dongle.

Signing into Outlook with a one-time cellphone code.

Artwork: Some sites now use one-time password codes by default. When I go to sign into Outlook mail, for example, I'm not asked for my usual password. Instead, a code is immediately sent to my cellphone and I have to type that instead. I can still decline to sign in this way and use a conventional username and password if I want to, so this isn't as secure as two-factor authentication,

How are one-time passwords generated?

If a one-time password is going to give you access to a computer system, the disposable password you hold in your hand obviously has to match the password the computer has in its memory, just like a conventional password. The only trouble is, the password has got to change every time you use it. This means there has to be some form of synchronization that allows both you and the computer system to use the same, ever-changing password, without the computer having to transmit it to you each time by some insecure method such as email. You can see how this would work with a cellphone-based system: the computer system would generate the one-time password, send it to you in an SMS text message, and then allow you a certain time period to type it in before the password expired. A mail-based system works in essentially the same way, but the password would have to be valid for longer to allow for delays in transit (some banks will mail you a whole printed list of one-time passwords, called transaction authentication numbers or TANs, that you use and then strike out in sequence, matching a list of passwords stored on the computer system).

But how does the synchronization work if you have something like a security token generating one-time passwords for you? One method, called time synchronization, involves the token and the computer system both generating new one-time passwords based on a numeric version of the current time. They might take the time, say 5:08PM, turn it into a numerical code, 1708, then run it through a code generator and an algorithm (a mathematical process) called a hash function (or hash code) to generate a unique 10-digit code, which becomes your one-time password. As long as the token and the computer system have their clocks synchronized, the token will always generate a one-time password that matches the one the computer is looking for. But if the clocks get out of step, the token won't generate correct passwords anymore and will need to be reset.

A different method involves the computer system and the token starting with a shared number called a seed and generating a new one-time password using a constantly advancing counter. The first time a password is needed, the computer and the token use the counter number 0001 with the seed number to generate the password; some time in the future after lots of passwords have been generated, the counter might stand at 0299 inside both the computer and the token, so that number would be used with the seed to generate the password for the next time. This technique is called counter synchronization and doesn't suffer from the disadvantage of keeping clocks in step.

Who is using two-factor authentication?

It's early days so far and most websites are still relying on a basic combination of username and password (one-factor authentication) to grant or deny us access. Some sites, including PayPal, Amazon, and Google, have now introduced two-factor authentication as an option for customers who want the reassurance of added security. PayPal's Security Key system offers a choice between sending you one-time passwords in SMS messages or generating them with a token, while Amazon's AWS system uses inexpensive tokens supplied by Gemalto to generate its passwords. Google has an app called Google Authenticator that constantly generates either time-based or counter-based one-time codes every sixty seconds. Once you've enabled two-factor authentication for your Google account, you use the Authenticator to generate a new one-time code that you enter each time you sign in. (One minor drawback is that if you have two phones/tablets or other devices, you have to set them up together, in a synchronized way, or they won't generate the same one-time code. You can't add an extra device later without resetting the others you already own.)

Google Authenticator

The Google Authenticator mobile app greatly increases the security of your Google Account. You download the app, set it up with your Google account details, then use it to generate a new security code every time you want to sign in—so, in this case, your mobile device ("something you have") becomes the second factor. When you want to log in to Google on your computer, you enter your Google user name and password on the usual login screen, then a second screen prompts you for the one-time security code generated by your mobile at that instant (the Authenticator app constantly generates new codes that are valid for only 60 seconds). If your password is compromised, it doesn't matter: only someone with your mobile device (and app) will be able to access your account.

Using Google Authenticator two-factor authentication to sign in.

Photo: Google Authenticator generates a new one-time password once a minute.

You can also use Google Authenticator to secure other online logins such as your Facebook account. It generates an entirely different numeric code that you can see "running" underneath your main Google code. Two-factor authentication is optional for most Facebook users, but mandatory if you're doing things like running political advertising.

Using Google Authenticator with Facebook

Google Authenticator is an example of two-factor authentication that uses time synchronization, which means the time on your mobile device must be correct. If the time gets slightly out of step, or doesn't update itself at a time of the year when your time-zone changes (for daylight saving time or whatever), you'll find Google Authenticator will generate the wrong code and you won't be able to get into your account. If this happens, the solution is to check your mobile has the correct date and time.

Online banks are also experimenting with a variety of different multi-factor authentication systems. Some isse customers with handheld card readers that generate one-time passwords using your credit-card number and PIN; others send one-time passwords to your cellphone by SMS text or ask you to confirm you're logging in by sending a message to a banking app, which you have to set up securely in advance. In future, as more and more organizations introduce measures like this, we could find ourselves with a plethora of different dongles, tokens, and other security devices to control access to all the sensitive online systems we use—a veritable electronic keyring, in fact. But we'll also see criminals becoming increasingly sophisticated as they seek even more outlandish ways of cracking secure systems.

A handheld chip and pin two-factor security device used by the Cooperative Bank.

Photo: Many banks are now issuing two-factor authentication devices to customers to make online banking more secure. You put your bank card into the device, enter your PIN number, and it generates one-time passwords that you can enter into online banking websites. If you have accounts with several different banks, you don't need a card reader for each one. The banks have agreed a standard system between them, so you should find that a card issued by one bank will work in a card reader issued by any other bank. That's handy if you're away from home without a reader: you should be able to use a friend's.

Check for secure connections!

Are you connecting securely? Whenever you're sending personal or confidential information to a website, check that it's using an https connection, which encrypts the back-and-forth dialogue between your web browser and the server that hosts the website it's talking to. Look in the browser's URL bar. The most secure websites use both authentication (the bank's name is clearly shown, proving they're who they say they are) and encryption (shown shown by the https part of the URL, a padlock that's typically colored green or yellow, or a message like "Secure" in some browsers); many websites use encryption alone.

An example of an https URL in a browser address bar, shwowing that it is both authenticated and encrypted.

Artwork: An example of a secure browser connection.

Note that https does nothing more than secure the connection between your browser and the server it's talking to. It does not make a website completely secure. For example, are there pages on the website that don't use https? How does the website store your information when it's collected and decrypted it? Who has access to your data? Are you forced to change your password quite frequently? Does the site use two-factor authentication? Using https is only one of the things a business needs to do to make its website secure.

Sponsored links

Find out more

On this website


News and articles

Please do NOT copy our articles onto blogs and other websites

Articles from this website are registered at the US Copyright Office. Copying or otherwise using registered works without permission, removing this or other copyright notices, and/or infringing related rights could make you liable to severe civil or criminal penalties.

Text copyright © Chris Woodford 2010, 2022. All rights reserved. Full copyright notice and terms of use.

Follow us

Rate this page

Please rate or give feedback on this page and I will make a donation to WaterAid.

Tell your friends

If you've enjoyed this website, please kindly tell your friends about us on your favorite social sites.

Press CTRL + D to bookmark this page for later, or email the link to a friend.

Cite this page

Woodford, Chris. (2010/2022) How security tokens work. Retrieved from [Accessed (Insert date here)]


@misc{woodford_2FA, author = "Woodford, Chris", title = "How security tokens work", publisher = "Explain that Stuff", year = "2010", url = "", urldate = "2022-09-10" }

More to explore on our website...

Back to top