2-Factor Authentication (2FA) or also known as multi-factor authentication, is an added layer of security that helps protect your account even if your password is compromised. Where a password acts as the key to the lock under the door handle, 2FA acts as an additional lock you have above handle. It’s an additional layer of protection to help prevent users who have your password from accessing your account.
The importance of 2FA Security and why you need it
As we covered in our password guide, its easy for one to break or guess your password. However, even the strongest of passwords are susceptible to being cracked. What do you do then?
This is where 2FA comes to save the day.
2-Factor Authentication is not offered by ALL the sites you may have accounts with, but it is a staple with many of the larger names out there such as Apple, Microsoft, Gmail, etc. Before we can talk about 2FA in detail, let’s talk about them in detail one at a time.
SMS: You associate a telephonic number to your account via an SMS, and the website will send a unique code to that number. That unique code will be needed to complete the login process.
Phone Call: This is another telephonic method of protection. You will get a robocall that will dictate a unique code to you over a free to receive call. You have to enter that code to confirm the login.
Email: A unique code will be sent to the associated email of that account. You will have to enter that code to confirm the login.
Hardware Token: This is a bit more sophisticated and is used by enterprise users or very high-profile individuals such as bankers, journalists and more. An example of this is the YubiKey. You basically complete the login process by connected a physical device and completing the login by scanning your fingerprint, or the other method the hardware token works with.
An individual can use it, but in the umbrella of 2FA, this is a very niche feature and very few sites currently support it when compared to all the other methods.
Software Token: A software (most commonly a smartphone app) will generate randomized keys for you. All you have to do is know which account you’re logging into, navigate to the key generation for that app, enter the code and you’re in! You don’t need to rely on mobile phone reception unlike SMS, phone call or in some cases, email (if you are using data to receive emails).
Software tokens work without internet too for a certain amount of time, but they are by far the most convenient method.
In terms of ranking the above methods from most secure to least secure, this is the order:
- Hardware Token
- Software Token
- Telephone Call
- SMS
SMS and telephone are at the bottom and least secure because of spoofing, a method of having your phone number stolen without your knowledge or consent. From there, the hacker can have full control of your digital identities. In addition, social engineering is also used. It’s a method by which a hacker convinces your provider that they are you, and trick the provider into giving them your number on a new SIM. By the time you’re aware of either happening, your accounts are being logged into and there’s nothing you can do to stop it.
Email, it’s safe to say that if your email is compromised, this takes us back to the analogy of the door and the lock. Both of the door locks are unlocked by a single key. If the hacker cracks your email account, they also have control of your tokens.
Software is the second most secure option because even if your phone and email address are hijacked, your other accounts are locked behind unique codes that are currently on devices within your reach. It will be hard for the hacker to access those accounts without physical access to a device that has one of the security token apps.
Hardware is the top of the chain, but its also the least used. You can use the YubiKey, but its a very niche feature currently. Very few sites on the internet have implemented support for hardware tokens, so for now, software tokens are the best way to safely protect your account.
How to activate 2FA on your personal accounts?
While making a guide for each popular website on the internet will take too long and the steps for each will vary between each, a good website to go to is 2FA Directory. Search for the service you wish to protect, such as Amazon, Hotmail, Gmail etc and the site will automatically take you to the necessary support pages for each website or service.
When it comes to more prominent services such as banks, it’s best that you contact your bank and talk about additional methods of securing your account. Not many banks support 2FA or multi-factor authentication.
What’s the best software token to use?
I personally recommend Authy. It is an ad-free app, free to download, has a smartphone (Android & iOS), and desktop app.
It helps manage your multiple identities in one place, protect them with your phones own security measure such as fingerprint, FaceID, pin, password etc.
While tastes may vary and others may suggest Google Authenticator, and Microsoft Authenticator, you’re better at looking at each apps relevant page and making your best judgement.