2-Factor Authentication (2FA) is a good way to protect your online accounts. Here’s what it is and how to use it.
Passwords are only the first step to good Security
We have passwords to many online accounts. Choosing one can be a hard task. That’s why so many people wind up using the same one over and over again, or just as bad, making a too weak password. Here are the top-10 most hacked passwords
The Basics of 2-Factor Authentication
Basically, 2FA involves something you know, and something you have.
something you know
The something you know is your password. Yes, I advocate the use of a password manager, and those that do so don’t know most of their passwords. But still, the password is assumed by the app or website to be something we know and type in to gain access.
something you have
The something you have is usually your phone. But there are other devices like a YubiKey that can be used. I’ll go over YubiKeys in a later article.
How 2FA uses your phone
In this case, the app or website sends a text message to your phone with a code for you to type in. This is the least secure method, as bad guys are able to spoof a phone and have the text message routed to them. But in reality, unless someone belongs to a 3-letter government agency, I don’t see them being a target for that.
A push notification is where an app on your phone notifies you that an attempt to login has been made. It asks you to verify that it is really you. Both Facebook and Google use this method. This is more secure than text message.
Google does this by default.
An authentication app is an app on your phone that generates a 6-digit code every 30 seconds. The website or app you are trying to log into asks you to check your authentication app for the code.
Examples of authenticator apps:
- Google Authenticator (the one I use)
- LastPass Authenticator
- Microsoft Authenticator
…and many more. These are the 4 most popular.
Using an authentication app involves some setting up, and can be a challenge when you get a new phone. In a future post I will detail how to setup and use an authentication app.
YubiKey (or similar device)
A YubiKey is a small device that looks like a thumb drive. To use it, you insert it into a USB port. This is the “something you have.” In addition, some YubiKeys are NFC enabled (see here for a brief explanation on NFC) so they can be used with a smart phone by simply tapping. And some have fingerprint readers, so in case it is lost or stolen, no one else can use it. This adds another factor.
A Yubikey is the safest 2FA method. In this article I go over how even text, push notifications, and authentication apps can be bypassed.
when should you use 2FA?
You be the judge of that. I use it anywhere I would stand to lose something if someone got hold of my password.
- Investment sites
- Shopping sites
E-mail is one of the most important areas to have 2FA setup. If someone had access to your email, they wouldn’t need your bank/investment/shopping password. They could request to change it, and when the email comes to you, they intercept it, change your password, then delete the email.
Now not only does someone have your password, you don’t. You could request a change, but they could simply change it back.
So use 2FA wherever you need it. It’s a bit of a hassle to use in a hurry, but it’s less of a hassle than having a bad guy steal your money.
As always, if you have a question about this or any other post, please leave a comment below, or you can email me at email@example.com.