What’s 2FA (two-factor authentication)?
Have you ever tried to log into your bank, credit card, or email account and been asked to type in an additional code that was sent to your phone before you could access your account?
This is an example of ‘two-factor authentication’ or 2FA for short. The companies that control your critical accounts (and many others) offer this option because the extra step adds a powerful additional layer of security (we’ll get to why, shortly). This 2FA trend is growing because passwords just aren’t secure enough anymore.
The most common form of 2FA is a short code sent to your phone via SMS (text messages) that you input to the account you want to access. This second factor (your password is the first) protects your account from someone who may have stolen or guessed your password – but doesn’t have access to a device with the phone number associated with your account.
This bolsters security because it’s not that hard to steal or guess a password — anyone anywhere in the world can theoretically do it. But gaining physical access to your phone is much harder, so this small extra step offers a lot of additional protection.
Why a password isn’t enough for security
Passwords exist so that anyone can’t just click their way into our accounts. Even a weak password will keep most people out, and a strong one (long and unique) reduces the risk of someone getting in. But passwords aren’t impenetrable.
There are many ways through or around passwords, via technical means or by taking advantage of the vulnerabilities we (accounts holders) create for ourselves. Choosing passwords that are common or easy to guess is one potential weakness, and using the same password on multiple accounts is another.
Re-using passwords is a significant problem because when passwords are leaked from one site, thieves use them to get into accounts on completely different sites. We all hear about data breaches constantly, and those stolen passwords (which are usually username/email and password combinations) are quickly leaked and circulated on the internet.
The bad guys then try these login credentials at other sites. to see if you used the same password for your sports forum (or whatever company was hacked) at your bank. Surprisingly – this works quite frequently. Here’s a free tip, don’t reuse passwords.
It’s impossible to make passwords perfect – people have been trying for years. And so just like two layers of clothing are warmer on a cold day, a better strategy is to use two layers of security in your account.
How helpful is 2FA?
Do you double-lock your doors? Most people do, because one lock just isn’t that secure, and the extra effort of using a second lock makes homes statistically safer.
2FA is similar; it’s a small extra step that pays huge security dividends. But 2FA works so well because there is an additional layer of security, and more importantly, because the second layer is intentionally different than the first. This is why it’s called “two-factor” and not “double-password”.
There are several different possible factors used to gain access to an account:
- Something you know: a PIN, password, a social security number, an answer to a “security” question, (street you grew up on, your mother’s maiden name)
- Something you possess: a mobile device, a credit card
- Something you are: often a physical attribute (also known as a biometric) like a finger or handprint, a retina scan, voice recognition.
Requiring two or more different factors – especially when one of them cannot be digitally reproduced and distributed – strengthens account security enormously.
But not all second factors are equally strong. There is a particular weakness to sending codes to mobile phone numbers. They aren’t well protected by mobile carriers, and if someone was really targeting you personally, they may be able to intercept the codes without actually having physical access to your phone.
They do this in two main ways:
- They intercept messages — because text message networks were not designed with security in mind and are pretty vulnerable.
- They ‘SIM jack’ you – which is where they move your cell phone number onto a phone they control, at which point they’ll receive your text messages: including your 2FA codes.
How secure is 2FA?
There is no perfect security, in the digital or physical world. So while there are potential ways around 2FA, especially via SMS, for most people, the risk isn’t enough for you to avoid using SMS 2FA altogether. Two Factor authorization of any kind is dramatically more secure than only using a password to access any account, so you should take advantage of this security improvement whenever possible.
In order for the weakness in 2FA for SMS to be exploited, someone has to be reasonably motivated, and sophisticated enough to intercept phone messages or hijack a SIM card. If you don’t think you’re likely to be personally targeted by serious hackers, using 2FA via text message codes is a simple (as in, easy) and reasonable way to make your accounts significantly more secure.
If you might be personally targeted – because you’re rich, famous, have an important job, or you know some really juicy corporate secrets — or you just want to make sure your accounts are extremely secure, there are two more secure 2FA options you can and should utilize.
The first is an authenticator app on your phone. These apps generate 2FA codes locally so instead of getting a text message, you open the authenticator app and it dynamically creates the code for you. You enter it into the login screen just like you would the code from a txt message, and you’re in.
Each account must be setup by scanning a QR-Code to build the link between your account, your phone and the authenticator app. The app also generates some backup codes that you can safely store in your password manager in case the authenticator app is ever unavailable. (This however, does create a small new risk in case those backup codes get stolen.)
Using an authenticator app requires you to have access to your actual physical phone, not just the phone that is currently receiving the text messages that are sent to your phone number. Nobody without access to your physical phone can generate the 2FA codes your accounts will need (the only exception is if your backup codes are stolen).
If you want to use an authenticator app – download Google Authenticator, Authy and DuoMobile from your favorite app store. However, not all sites that support SMS-based 2FA allow you to use an authentication app. Google, LinkedIn, and Twitter does, for example – but Apple, Amazon and many banks do not.
To harden your security even further, get a hardware key – a small USB or Bluetooth device that usually fits on your keychain or sits in the USB slot of your laptop – that acts as a 2nd factor to give you access to your most important accounts. These are supported by Google Accounts and a few others, but still far fewer than even authenticator apps. But for any extremely important accounts using a hardware key is the most secure form of 2FA to keep your accounts secure.
Should You Use Two-Factor Authorization?
Our bottom line: Yes.
Everyone should be using 2FA on their most important accounts (at least). It eliminates all of the easy – and frighteningly common – ways that hackers get into people’s email accounts, bank accounts, and personal data. Using 2FA makes you a less attractive target for a hacker because it makes their job much harder. Criminals are usually looking for easy ways to gain access in volume in order to make the most money. With 2FA protecting your account, there is a good chance they will simply move on to easier targets.
Of course, there is a downside. Accessing any account that uses 2FA is, by design, a little slower and less convenient than accessing an account protected only by a simple password. Although, depending on your browser settings, you’re only experiencing 2FA the first time you log into a service. On a personal device, you might have already logged in so you don’t have to take any additional actions. But this extra 2FA step prevents the massive hassle, and potential permanent damage, of having your information leaked and your account compromised. For better or worse, 2FA should be considered the ‘new normal’ and it’s worth the cost of responsibly managing your online life.