Two-factor authentication (2FA): why you should care

shutterstock_238041709

Online security can feel a bit like an arms race sometimes, and it may seem like there’s always something new to keep track of. But many of the more tried-and-true security principles and methods have been around for a while, they just take a while to become more mainstream.

One of these methods is called “two-factor authentication,” a rather jargon-y sounding phrase for something that’s actually pretty simple and can help secure your information online in a big way. But if the phrase “two-factor authentication” sounds like something that doesn’t concern you – or like something you could never figure out – I assure you that’s not the case, no matter how tech-savvy you are (or aren’t).

(If you’re looking for a technical discussion of how 2FA works in depth, I heartily recommend Chester Wisniewski’s 2FA article here.)

Two-Factor Authentication, in a teeny tiny nutshell

Put simply, two-factor authentication is when you prove who you are to a website or service using two out of the three things below:

  • Something you know — like a password
  • Something you have — like a numerical key code
  • Something you are — like a fingerprint

Colloquially, what many people mean when they say “two-factor authentication,” or 2FA, is when a website asks you to type in a code after you’ve already entered your password.

It’s very likely you’ve encountered 2FA quite a bit in your life already. Many of us who’ve worked in the corporate world at some point have carried a small key fob or token with us, and typed in the displayed numbers when logging in to a core work system.

shutterstock_178370210

Similarly, if your favorite shopping or banking website has been asking you to verify your identity by typing in a numerical code SMSed to your mobile number, that’s 2FA at work.

Why isn’t a password enough? And what about security questions? How many more factors do we need?

Security works in layers. Think of a medieval castle – these castles never relied on just one thing to protect them. They were built in naturally defensible locations, and had strong doors, drawbridges, high towers, heavy stone walls, and more.

Even if one of these protective factors failed during an attack, the castle had many other features in place to keep up its defense.

The same idea applies when it comes to keeping your information safe on websites and applications you use every day. Cybercriminals are always thinking of new ways to try to obtain sensitive information, so in defense we make sure we have more sophisticated measures in place to stop them.

2FA is an additional layer of security on top of man existing methods such as passwords. The more layers of defense in place, the harder a bad guy has to work to get at your information. (And with so many other easier targets in place, s/he may decide you’re not worth the effort.)

In other words, adding another factor reduces the risk of someone trying to pretend they’re you and access your information without your consent. But no, this method isn’t foolproof and it doesn’t guarantee complete security – a major provider of two-factor authentication key fob tokens was famously hacked back in 2011, and there have been some attacks recently that use fake 2FA verification messages – nothing can completely eliminate risk, unfortunately. But it is certainly more secure than using just a password alone.

How do I use 2FA on websites and services I visit?

Many popular websites – like email, shopping and banking – often already have 2FA available to use. (And if you don’t log in to the website at all and don’t have an account there, you don’t need to worry about 2FA!)

Each website has its own process for enabling 2FA on your account, but generally the first step is to log in to your account on the site, go to a settings menu, and look for a “security” area. For the most part, this process will require you having your phone handy as you will need to register it to your account and verify that you own the phone, usually by typing in a code that’s texted to you.

In other cases, the website may ask you to download what’s called an authenticator app – it will tell you specifically which one, as there are many – and then type in a numerical code generated on the app.

(If you need a bit more guidance on how to set up 2FA, we’ll have a number of guides published shortly for major web services that will walk you through it, step by step.)

All that said, 2FA isn’t ubiquitous yet. So there is a chance a website you use doesn’t have it.

One resource I like to use to check if 2FA is available is the Two Factor Auth List, which lists a lot of commonly-used websites and whether or not 2FA is available there. (And if your site of choice doesn’t have 2FA yet, the list has a handy button to tweet at the site to encourage them!) While the number of sites supporting 2FA is growing, we still have a way to go.

I hope this helps shed a bit of light on 2FA and how it can help keep your accounts out of the wrong hands. Are you going to give it a try?