Written by Amer Owaida, Security Writer at ESET
With past years riddled with security breaches, it is high time we evaluated the way we secure our online presence. The usual way to secure most of your digital accounts is by using a password, no question about it. The problem is you have tens – even hundreds – of accounts you need to secure. How do you go about it? Do you have a unique password for every service you use?
Perhaps, a significant number of you will answer “no”, which would not come as much of a surprise. Far too often people tend to keep their passwords simple, so they can be easily remembered. Nothing can underline this more than the fact that “123456” was ranked as the most commonly used password of 2018.
If we adhere to the established (although now recognized as seriously flawed) practice of creating strong passwords such as including uppercase and lowercase letters, numbers, special characters and so on, we still tend to recycle our passwords or use minor variations of them. That being said, passwords have their limitations. They are only a single barrier between your account and a hacker.
Two-factor authentication (2FA), also known as multifactor authentication (MFA), is a simple way to add an extra layer of security to your accounts. What do we mean by the two factors? To understand that, you need to know the three classic authentication factors, often referred to as “something you know, something you have, and something you are”. The first are things like passwords, PINs and lock screen patterns. The second are things like physical keys (brass or RFID), electronic tokens and SMS codes, while the third is biometrics such as fingerprints, retinas, and faces.
You have now probably guessed that a 2FA system requires you to pass authentication challenges that require responses from two different factors. That could be a PIN code (something you know) and a fingerprint scan (something you are), or a retina scan (something you are) followed by entering a code from a security token (something you have). As passwords have traditionally been used for online services, they tend to be one of the factors still required in 2FA schemes for such services. Hence, a 2FA system combining a password and the possession of another factor makes it difficult for hackers to access your account since they will be missing one of the pieces of the puzzle.
There is a variety of 2FA systems for services to use. What most of them have in common is that a one-time code is generated on, or sent to, an authentication device so you can input it together with your password, thus providing you with access to your account. The most common 2FA method used by popular online services is a text message with an authentication code sent to your phone. It is not the best and most secure method, but it is still better than not having one at all.
Then there are authenticator apps that you can use that can be paired with your accounts. These apps keep on generating authentication codes that are valid for only a limited period of time. For example, each code is valid for only one minute. Google, for instance, has been experimenting with a new form of 2FA that does away with the need to enter keys manually, transforming your phone into a security key itself. Alternatively, some companies provide hardware solutions of their own that you can use for 2FA purposes. The choices are many; just choose the one that suits your needs the best.
Most popular sites offer two-factor authentication options, but few require 2FA for login. Generally, you will have to locate a site’s 2FA options and enable them for yourself. They can be usually found in the settings or privacy sections of the website. The sites will walk you through setting up a 2FA method, sometimes offering more than one option. If you’re not sure if a website or service offers 2FA you can check for it here.
If you’re wondering if 2FA is bulletproof, there have been rare occasions when it has been bypassed. But in most cases, it provides a great extra layer of security against various attacks that attempt to scam you into revealing your login credentials.