Tech Tip: Secure Your Accounts with Two-Factor Authentication (2FA)
We’ve covered good passwords on this site many times. As a refresher, a good password is unique and strong. And you don’t need to remember all your passwords: storing them in a password manager means you only need to remember one really strong Master Password. In this tech tip we’ll learn about Two-Factor Authentication, also known as 2FA, and why it’s important.
But what if your password for a website – like your email or Facebook – gets out anyway? This could be through no fault of your own. Insecure websites with bad security practices are unfortunately a reality. Password breaches happen all the time. You can (and should) sign up to receive notices of breaches from HaveIBeenPwned, but they might not show up on that site for months or even years. It could just take an attacker minutes to get into your account.
It’s nearly impossible to avoid a situation where your password for some website has been leaked. But you can take a little more control and prevent people from logging into your account – even if they have your password!
TL;DR
This one got a little long. Here’s the quick version:
Passwords aren’t necessarily enough to protect your online accounts. Using a second factor, by getting a special one-time code via text message, app or hardware device, can help you keep your accounts secure even from people who got your passwords. See the Conclusion for more of a roundup.
That Second Factor
Different sites call it different things. Google calls it Two-Step Verification. Most other places call it 2FA, or Two-Factor Authentication. No matter what name it has, enabling it gives you an important extra layer of protection for your accounts.
Your password is something you know. But if you know something, other people can know it too. 2FA’s extra layer is something you have: A special, usually random code specifically for that account, with a short window of time where it can be used.
A 2FA Example
Before we get into the various types of 2FA and which one you should use, here’s an example on how it works. I have 2FA enabled on this very site, to protect the WordPress setup. When I go to login, I enter my username and password:
Without 2FA, entering the right admin and password would get you into the site. But what if someone got this password? When I log in, I get this prompt:
And unlike my password, the Authentication Code I have to enter there is only valid for about 60 seconds! It changes with time, so even if someone sees it they can’t use it in the future.
Types of 2FA
When you set up 2FA on an account, you may be given a choice as to which type you want to use. There are 3 major ways to get these codes, each with their own benefits and drawbacks.
Text Messages (SMS) 2FA
This is usually the most convenient, but least secure. You’ll get a text message sent to your phone when you try to log in.
Benefits: If you have a phone, this takes the least setup and is the easiest to use.
Drawbacks: You have to have a phone, have cell phone service (good luck if you’re traveling internationally), and if you change your phone number you have to update every single account. It’s also the least secure of 2FA methods.
The least secure? Yes. Attacks on text message 2FA have been happening for years. The system behind text messaging – SS7 – is very insecure. Most recently, Joseph F. Cox writing for Vice showed that a hacker could take intercept his text messages using an online service – for $16. He had given the hacker, Lucky225, permission to do this. Others haven’t been so lucky: In 2016, activist Deray McKesson’s phone service was attacked, letting the attackers text pro-Trump messages on his Twitter account.
Text message 2FA is better than nothing. The Internet is full of smug security experts (many of whom I do respect) saying that you shouldn’t use SMS 2FA. And they’re right, to an extent. But it’s still better than nothing. If you can use a better method (read on) you should. If not, go ahead use text messages.
Software Code 2FA
This is a good middle ground between convenience and security. With a software code, also called Soft OTP or App Authentication depending on the service, you install an app on your smartphone that gives you a code. When you log in and get asked for that code, you open the app to get your code.
I’m partial to the Authy app, but there are others out there as well. When you set up this kind of 2FA, you’ll be asked to scan a QR code on your screen with the Authy app. Here’s a screenshot of what that looks like with Google (from Authy’s own site; they’ve blacked out the actual code but you can see part of it behind the square).
After setting this up, next time you log in you’ll be asked to enter the code generated by the Authy app, which is as simple as opening the app and tapping the account. (Image from Authy’s site.)
Benefits: Doesn’t require an Internet connection on your phone except to download the app and make backups. With Authy, you can back up your codes to their service so you can switch phones easily. More secure than text messages.
Drawbacks: Still requires a phone or other ‘smart’ device like a tablet or iPod Touch. If your phone is stolen, you need to take steps to remove it from your Authy account. Using backups requires trusting the Authy service (I do this for most of my accounts, which is worth noting.)
Hardware Key 2FA
This is the ‘hardcore’ version. It’s a physical device that you plug in to your computer via USB (or wave at your phone, for some newer versions) and press a button on to log in. Here’s mine plugged into my computer.
And here’s what it looks like to log into a site, in this example Dropbox. After this prompt, I tapped that yellow button and logged in.
For most people, I don’t recommend going the hardware token route. While it’s the most secure and that level of security is important for some, it’s also the most inconvenient.
Benefits: The most secure of the 2FA implementations you’ll find for web apps. Doesn’t require a phone, and works offline.
Drawbacks: Not widely supported. Requires purchasing a physical hardware key and not losing it. Very difficult process if you lose the key.
Backup Codes
No matter which 2FA method you choose, save your backup codes. Most services will give you an option to grab a set of these codes, which you can use in case you can’t get a text message, use your 2FA app, or don’t have your hardware key. Often these expire after one use, which is good. Save these in your password manager!
What’s Next & Resources
You still need to set up 2FA on your accounts! Pick the method that works best for you (SMS, App, Hardware). I recommend starting with email, then social media, financial institutions and other places you store important personal information.
The details of each service are too varied to get into in this article, but websites like 2fa.directory and Authy itself have great guides – just search and follow the steps!
Want more detailed help? Tech for the People patrons get a 30-minute one-on-one chat with me. Or, sign yourself, community group, business or friends & family up for a customized security training!