With online security finally being taken as seriously as physical security, a new term – 2-Factor Authentication (2FA) – has been introduced to many people.
While 2-factor authentication is relatively simple, it’s also one of the most important steps to take in securing your most important online accounts.
If you’ve been confused about 2FA and whether you need it, read on!
What is 2-Factor Authentication?
For most people who grew up with computers in the late-90s or early-2000s, authentication involved only one thing – a username and password.
This kind of authentication – knowing some sort of secret – is probably the most common kind of authentication for computer systems. As people accumulated online accounts, though, this kind of authentication actually became less secure.
There are many reasons why, but it boils down to a few major things:
- Websites have gotten in the habit of using email addresses as usernames. This makes usernames easy to guess.
- Users needed to create and remember lots of passwords, so they began to reuse passwords with small (predictable) variations.
- Lax security at large companies has led to many data breaches. Sometimes these breaches leak passwords in plain text (which is very bad), but often they are encrypted. But…
- The discovery of weaknesses in some encryption, advancements in password-cracking software, and the massive power of cloud computing have combined to give hackers a good chance at brute-forcing through weak encryption.
This means that at least some of your passwords are “in the open”. You can use a neat tool by Mozilla to see which of your accounts has had a known breach (spoiler alert: it’s probably a few).
The solution? Ask for more than one type of information. This second authentication factor is often something the user has, like a phone (although it could also be something they are like a fingerprint).
That’s all 2-factor authentication (2FA) is: you prove your identity with something you know and something you have.
Quick aside: the fact that everyone will have passwords stolen is why you must make your passwords long, complex, and unique, and use a password manager (like LastPass or 1Password) to remember them. If you’re reusing passwords (even with differences) you’re going to get burned sooner or later – the only question is how badly.
How To Use 2FA
Although it may be a new term, you’ve probably used 2FA before.
When you pay at the gas pump, and you have to swipe your card (something you have) and then enter your PIN or ZIP code (something you know), you’re using 2FA!
The process is similar for logging in to sites or apps. You’ll still have to enter a username and password, and then the app will ask for a code. It may be a randomly-generated code coming from a special app (like Google Authenticator or Duo), or it may come through email or SMS.
2FA via SMS
Probably the most common 2FA implementation uses SMS messages to send a code to a phone number linked to the account. This is generally easy to set up both for the company and the user.
SMS isn’t the most secure way to implement 2FA, but even this 2FA method is vastly more secure than relying on a username and password alone!
2FA via Apps
For things that allow it, I use the Google Authenticator app as my 2FA source. This app generates random strings of numbers on a regular basis, and when I log into a site, it requests my Google Authenticator code. It also generates different codes for each app, so I have randomly generated codes for thinks like my GMail account, my LastPass login, my favorite budgeting app (YNAB), and several other apps.
There are other authenticator options: LastPass Authenticator, Duo Security, Authy, and Microsoft Authenticator. They all (including Google Authenticator) have various pros and cons, but they are relatively easy to use, and provide a measure of security above and beyond SMS 2FA (which, again, is way above the security provided by passwords alone).
If you want something with even more geek cred, you could get a Yubikey, which is a small physical key about the size of a small thumb drive that you must physically plug into your computer (or touch to your phone) when logging in.
When to Use 2FA?
In general, you should use 2-Factor Authentication whenever and wherever you can!
However, the best place to start is one of the places you are most vulnerable: your email.
If you have GMail, they have a pretty nice walk-through of how to set up 2FA on your Google Account here. They walk you through everything and make it very easy!
One small note – if you use the Google Authenticator app, do make sure to keep your spare codes in a safe (and memorable) place!
Other places you can set it up include your password manager (here are steps to set it up in Lastpass), money transfer services (Paypal and Venmo), shopping (Amazon, eBay), travel (Uber), and social media (Facebook, Twitter). Obviously there are lots of possibilities, but you should strongly consider 2FA whenever you have important financial or personal information stored in an online account.
Lock your (online) doors!
No matter which way you go, I would strong recommend taking some time and do the boring but necessary work of setting up a password manager, changing all your passwords to be long and unique, and set up 2FA on your most important sites.
While none of these will make you impervious to bad actors, they will make you a much smaller target (and hopefully not worth the trouble!).