How And Why To Use Two-Factor Authentication

Have you noticed that many login pages have a place to enter a code or token in addition to your password? You may have thought, “Why would I need that? I already have a password for logging in.” Let me explain why adding that layer of security is a good idea.

The Threat

Imagine that to use an ATM, all you needed was either a PIN or an ATM card, not both. How easy would it be for someone to withdraw money from your account? If they guessed or learned your PIN, they’d have the ATM spitting dollar bills at them. If they stole or found your ATM card, that too would grant them access to your money. Not good, right?

Fortunately, an ATM requires both your PIN (something you know) and the ATM card (something you have). Because it’s much harder to get both of them at the same time, your bank account is safer.

Now think of an online account. If it’s only protected by a password (something you know), then all it takes for someone to get access is to guess or steal your password (or guess your security questions). Unfortunately, with the growing number of data breaches, that’s not too difficult. It’s like having an ATM that only requires a PIN.

But if that online account also requires you to get a code from your phone (something you have), that would be like an ATM that also requires an ATM card. And just as that ATM would be more secure, so too your online account would be more secure.

How to Increase Your Security Using Two-Factor Authentication

Let’s go back to the website that asks for a code when you log in. That code is like your ATM card. When you log into a website, you enter your password (something you know) and the code from your phone (something you have). This is called two-factor authentication. Your password is your first factor of authentication. The code from your phone is your second factor.

So, how can you use this to make your accounts more secure?

How to Set Up Two-Factor Authentication

After you log in, look in the settings for a way to enable two-factor authentication. You may also see it called security codes, two-step verification, 2FA, or multi-factor authentication (MFA). The code may also be called a token. Look in the Security and Privacy sections of your Settings, or under Account or Profile.

If you can’t find the option within a few seconds, look up the site on turnon2fa.com and twofactorauth.org. Those sites have instructions for enabling two-factor authentication on many websites.

Once you find the option, click through the steps to enable it. Here’s how to enable two-factor authentication on Facebook:

Many websites still offer the option of sending codes by text message (SMS). That’s unfortunate, because text messages can be intercepted and spoofed. In other words, it’s not difficult for hackers to receive your text messages, even without your phone. You can learn more about this in the Further Reading section below. For these reasons, it’s more secure to use a hardware token (I like YubiKey) or an authentication app (such as Authy, which is what I use, or Google Authenticator).

Two-factor authentication (2FA) is only as strong as your weakest 2FA method. So if an account offers multiple methods (hardware key, authentication app, SMS/text, etc.), and you choose one other than SMS/text, then do not also enable SMS/text. If a hacker can’t get past one method, they’ll try another. That means it won’t matter if you have a stronger method such as an authentication app-enabled, because the hacker will go after the weaker SMS/text.

Besides the security problem, there are other problems with text message authentication. If you don’t have phone service, you won’t receive the texts. Even if you have service, sometimes text messages take minutes to arrive, rather than seconds. Authentication apps don’t have any of these problems.

Of course, if the only way a website will let you use two-factor authentication is through texts, then use that option! It’s better than not using two-factor authentication.

Be aware that some websites won’t send codes to “virtual phone numbers,” phone numbers that use VoIP (Internet phone service). I have a Google Voice number, and some websites won’t send SMS/text messages to it. I need to use my traditional mobile phone number instead.

Most websites will allow you to create backup codes. Those are useful in case your phone is lost or stolen. Be sure to create the backup codes, and store them somewhere secure. I store mine in LastPass, in the Notes field of the website they go to.

If a website doesn’t support two-factor authentication, contact them and ask them to add the option for the sake of the security of their users.

How to Use Two-Factor Authentication

So you’ve set up two-factor authentication for your account. Nice work! You can start using it the next time you log into your account. Here’s the general process:

1. You visit a website and enter your username and password.
2. If this is the first time you’re accessing your account from a particular device (computer, phone, tablet), you’re asked for a second factor to confirm that you are who you say.
3. You get a code from your phone, either from an authentication app, or from an SMS/text message.
4. You enter the code on the webpage.
5. If your code is correct, you’re logged in!

Most websites will remember your device (using cookies) so you don’t need to enter a code each time you log in, only when you log in on a new device. And you’ll be asked if you want the system to remember your device. If you’re not using one of your own devices, say no!

I highly recommend that you use two-factor authentication for any accounts that contain sensitive data. I especially recommend it for any accounts that contain financial or medical data, or other personally identifiable information. That includes any site that allows you to pay, donate, send, or receive money. But also think of how much damage someone could do by accessing other accounts, such as your email or social media accounts. It’s better to be safe than sorry!

If a website allows you to use more than two factors, consider doing that, especially if it’s an account that contains sensitive data that you want to protect.

You may wonder, “What happens if I lose my phone? Will I be unable to log into my account?” The answer is yes, unless the account allows you to enter backup codes or log in some other way (such as through security questions). That’s why it’s so important to create backup codes (see above).

Further Reading

• Turn On 2FA includes tutorials showing how to enable two-factor authentication on many websites (turnon2fa.com)
• Two Factor Auth List lets you look up websites and see whether they support 2FA. If they do, the site tells you how to enable 2FA, as well as which forms they support (SMS/text, phone call, email, hardware token, software token). (twofactorauth.org)
• Authy’s 2FA Guides tell how to enable 2FA on several websites (authy.com)
• Why You Shouldn’t Use SMS for Two-Factor Authentication (and What to Use Instead) (howtogeek.com)
• Why you are at risk if you use SMS for two-step verification (cnet.com)
• Hanging Up on Mobile in the Name of Security (krebsonsecurity.com)
• Is two-factor authentication (2FA) as secure as it seems? (malwarebytes.com)
• How to: Enable Two-factor Authentication (eff.org)

What You Should Do

1. Enable two-factor authentication for any account that contains sensitive data, or that you wouldn’t want to be hacked.
2. Whenever possible, use a hardware token (such as YubiKey) or an authentication app (such as Authy or Google Authenticator) rather than receiving codes by text message or email.
3. Create backup codes in case you’re ever without your phone when you need to log in. Save them securely, such as in your password manager or on paper in a safe.