You have a strong password, but you still want more protection online. What else can you do? Experts agree the next best thing is two-factor authentication. But what exactly is two-factor authentication (2FA)? Writer Nick Asbury describes it best:
It’s like meeting a blind date. You arrange the time and place (something you know) and agree to carry a red rose in order to recognize each other (something you possess). Secure authentication at first sight.
In the analogy above, your password is the “something you know” and two-factor authentication is the “something you possess.” That “something you possess” often comes in the form of 4-8 random digits, but can also simply be a prompt on a secure device.
A great place to start is Two Factor Auth which conveniently allows you to search through various websites to see if they support 2FA or not. If you have an account with a website that supports 2FA, all you need to do is go to your account’s security settings and follow the instructions to complete the setup. Be patient though; websites are known to bury this setting and may even label it differently; e.g., “2-step verification” or “login approvals.”
Last, don’t fret over having another step to perform in order to log in – a lot of websites only require 2FA when you log in on a different device or if a certain amount of days have expired since you last logged in.
Going the Extra Mile
As with most things in life, however, there are some caveats you should know about. For instance, the term 2FA (which is sometimes describe as “multi-factor authentication” or “MFA”) is often used interchangeably with the term 2-step verification (2SV). While technically these are different implementations of securely logging into an account, most of the time when someone uses these terms they are talking about 2FA. Don’t worry though – both types are fantastic solutions for increasing your security, but what exactly is the nuance?
2-step verification requires two pieces of information: your password (something you know) and a one-time passcode (something you possess). Although, from a technical perspective, the one-time passcode is actually considered something you know too. This is because the “key” that generates the one-time passcode is stored on your device. Thus, an attacker would need to steal two things, neither of which is a physical object:
- Your password
- The key configuration which is stored on your device
Two-factor authentication, on the other hand, would require an attacker to steal not only your password (again, something you know), but also steal your physical device (something you possess) in order to gain access to your account. This is because the one-time passcode or prompt is generated outside of your device.
Another concern is what if you lose your phone or secure device used during the 2FA process. Thankfully, websites have thought of this too and will sometimes offer “backup codes.” In instances where you don’t have access to your device, you can use one of these backup codes (which, for security reasons, are only good for one use) to log in to your account. You can either save these one-time codes on your computer or print them out. Wherever you store them, though, make sure it is a place where you will not forget and where someone else cannot easily steal them.
Last, but certainly not least, some websites that offer 2FA will offer to send you 2FA codes via a text message. If there is no other option, receiving a text message containing your 2FA code is better than nothing. However, if a website offers other means of receiving a 2FA code (e.g., generator apps, the device prompts, hardware tokens, etc.) you should always use those instead of a text message. This is because phone carriers have proven in the past to be very lazy, insecure, inept, negligent, unprepared, sloppy, blind, and apathetic when it comes to securing your information.