What Is 2FA (two factor authentication)
In the most basic form, two factor authentication (2FA) is :
- Something you KNOW – password, a PIN, answer to a security question
- Something you HAVE – driver’s license, phone, last four of credit card
- Something you ARE – face scan, fingerprints, voice
So realize it or not, you’ve been using 2FA for many, many years. Every time you enter a PIN for debit cards, or provide the last four of your social security number to bank, or even when you use a fingerprint to log into your phone, you are using a second “factor” to authenticate.
Where Should I Use 2FA
Many “secure” web apps or websites offer 2FA as an option that has to be enabled. When you try to log into your bank or mortgage company you will often be asked a security question, have to enter a PIN, approve a security image, etc. But unless you enable 2FA in some places a simple password is all that keeps you and another user from your email, social media accounts or banking information.
How Does 2FA Work?
Traditionally on the internet or phone app, the user enters a password on the computer or device which triggers something to happen from the application. An SMS is sent with a code, you are prompted to engage the fingerprint reader, or it asks for another time-coded PIN from a secure authenticator application. The user than enters the codes, provides a fingerprint or other criteria and is logged into the application.
Of the more popular methods, SMS is the least secure. SMS can be intercepted, sometimes read on multiple devices, or in extreme cases even hijack the phone number.
Fingerprints are the obvious most secure. Virtually impossible to fake, fingerprints are with you pretty much all of the time. Make sure you read several fingers from both hands. On occasion users can injure specific fingers or in the most extreme circumstances lose a digit, which would make reading impossible.
Authenticator applications are becoming more and more popular in recent years. These apps run on your phones and reset a code every 30-60 seconds. When you try to log into the app, it will ask for a password, then ask for a six-digit 2FA code. You pull out your phone, open the app and find the appropriate code, enter it into the field on the app, and if the two match, you are logged in.
Possible Issues with 2FA
Well the most obvious is not having your phone or having it not usable. However, most services that use 2FA like Google and Facebook have “backup” codes. If you have the codes but not access to your device you can still authenticate. The danger of saving these backup codes is now you have an insecure printed code lying around, which sort of defeats 2FA.
Time is another issue. Most of us want access to information and entertainment now. Having to open an app, pull out a text, or even manipulate the phone for fingerprint reading can take precious seconds… but isn’t security worth that time. Think of the minutes, hours or even DAYS it would take to recover or repair a hacked account!
Several times I’ve referenced authenticator apps in this discussion. These apps are fairly easy to use. When you turn on 2FA on your app or website, a code or QR Code will appear. You add a site to the authenticator, it will ask for the code or the QR scan, ask for a confirmation code, and you’re all set up! Below are some of the most popular authenticator for Android. Most are available on iOS as well and there are almost no differences in how these programs work.
- Google Authenticator – The most popular 2FA app. If you use Gmail or GSuite it has very easy integration to secure your email and other Google applications.
- andOTP – Free and open source it’s a very easy to use application with compatibility of Google Authenticator 2FA.
- Microsoft Authenticator – Google’s biggest competitor
- Authy – Probably the most popular app NOT created by Microsoft or Google, if you want to steer away from those to giants.
So how do I know if I can use 2FA?
Most sites that use 2FA have it listed in a security section of your profile. Simply looking there or through frequently asked questions will usually tell you if you are able to use 2FA.
There is a great list of websites and apps that use 2FA at TwoFactorAuth.org. This website has an organized list of sites and which types of 2FA they support. Some use SMS (texting), phone authentications, email or hardware/software tokens. This can be really helpful if you plan on using 2FA as part of the decision-making process.
Bottom Line on 2FA
Two Factor Authentication sounds scary. When you start talking about fingerprints and things of that nature people get weirded out by movies and potential issues. The bottom line is by taking a few extra seconds to log into your favorite apps, cloud storage and banking sites you could be preventing endless hours of trying to recover those accounts. Who hasn’t heard stories of hacked financial accounts, or hijacked social media logins, or changed email passwords with no way to recover because the backup email account was changed.
While 2FA won’t completely stop this activity, it will keep a vast majority of hackers from trying further. It’s much more cost effective in money and time to move on to an easier target than to dig deeper on to a secure accounts.
Take a few moments and test on something easy like Facebook. Then your email, then banking, then your website. You will feel better knowing you’ve taken some steps to be more secure.
Do you use 2FA? Send questions or comments to me @BeBizzy on Twitter!