What is 2FA?
You’ve been using 2-Factor Authentication (2FA, also sometimes called Multi-factor Authentication) for a long time, though you may not even realize it. Every time you use your ATM card, you present the card (factor 1) and you use a pin number (factor 2). Even if someone steals your ATM card, it’s only useful to them if they also know your pin.
That’s what 2-Factor Authentication is – a security process that requires two forms of identification from two separate categories of credentials. The 2-Factor Authentication used by your bank for your ATM card doesn’t make it impossible to steal cash from your checking account, but it makes it much more difficult.
You should be using 2-Factor Authentication for your most sensitive internet access points as well. “But wait!” you say. “My online banking doesn’t use my ATM card, and no other internet provider uses a plastic card either!” And you’re right – plastic cards are not the medium of the internet – they’re the medium for physical machines. But you have another credential device you can use, you likely have it with you all the time, and you already know how to use it.
It’s your mobile phone.
At its most simple, 2-Factor Authentication uses a text message. You enter your username (factor 1a) and your password (factor 1b), and then you receive a text message with a code to enter (factor 2). The average hacker won't be able to access your account even if they have your username and password, because they don’t have your mobile phone.
You can also use a 2-Factor Authentication app to receive your authentication codes. A 2-Factor Authentication app generates a temporary login code, in sync with the site(s) you program to work with it. The codes refresh every 30 seconds (you don’t have to do anything – they just automatically refresh every 30 seconds, 24/7). So instead of triggering a text message when you log in, you input your username (factor 1a) and your password (factor 1b), and then you get the latest login code from your 2-Factor Authentication app.
The text version is easiest to set up, but sometimes you experience delays. The app version will not suffer from any delays in text relay, but the apps are a bit more difficult to set up. In reality, you will end up using a mix of both. For instance, Twitter only offers text authentication, but if you use LastPass for your password management, you will need an app.
Unfortunately, 2-Factor Authentication isn’t available on every website yet (the most notable gap is banks, which have been terribly slow to implement 2-Factor Authentication for their online services), but adoption rates continue to climb.
Which 2-Factor Authentication app should I choose?
The five most popular are Google Authenticator, Duo, Microsoft Authenticator, Transakt, and Authy. These are all free and all work well. Each one has a bit different approach to setup, so be prepared to follow their instructions carefully. It’s not difficult, but it can be confusing the first time you do it. So take your time and read the instructions once or twice before starting.
Why Do I Need 2-Factor Authentication?
I was talking about 2-Factor Authentication with a business acquaintance last week, and he said, “2FA is stupid. If a hacker really wants to get into your system, 2FA won’t stop him.”
This is true. If hackers really really want to get into your computer, they’ll get in. But the hackers who have the sophistication to beat 2-Factor Authentication are going after big targets: Discover, AMEX, the Social Security Administration. Hackers work for one of two things: notoriety or money. Your personal accounts are unlikely to deliver either (unless you are Bill Gates. And Bill, if you’re reading this blog, can we talk?). Does this mean you don’t actually need it then? Not really. You still need it.
Here’s an analogy to explain why. My granddaughter and I recently stopped at Walgreens to pick up some prescription allergy medicine. It cost $4.00. It was in the little paper “I’m a prescription” Walgreens bag. When we got out of the car at our next stop, I asked her to please put the bag in the glove compartment.
“Why?” she asked. “It’s not worth anything. We could always get a new one.”
“Because I don’t want to pay the deductible for fixing a broken car window,” I replied.
The world isn’t just filled with sophisticated hackers. It’s filled with baby hackers; perhaps the kid next door, one of your students, or one of your kids’ acquaintances. These baby hackers might be working themselves up to something Department-Of-Defense-worthy, but right now they’re just practicing. Don’t let them practice on you. 2-Factor Authentication will stop this type of hacker.
2-Factor Authentication will also stop the robot hackers that are programmed to breach as many accounts as possible looking for big fish. But just as catch-and-release still leaves a hole in that poor fish’s mouth, these robot fishermen tend to leave messes behind in the accounts they break into – messes that can lead to anything from minor embarrassment to computer replacement or costly computer repairs.
Finally, if you have a website, it is always at risk of being infected with a socially engineered Trojan. This is a hack that creeps into your website and then tricks unsuspecting visitors to download a piece of malware. By the time you find out it’s happening, Google has blacklisted you and your customers and visitors are angry. Using 2-Factor Authentication to access your own website administration area will deter these kinds of hacks from all but the most motivated hackers.
So while it’s true that 2-Factor Authentication won’t stop the best hackers, it can still save you a lot of time, frustration, money, and loss-of-face.
Which accounts should I protect with 2-Factor Authentication?
You don’t have to protect every access point. The average internet user has somewhere between 35 – 50 online accounts. Here’s a list of the account types you should provide with this extra layer of security:
- Online email accounts (Gmail, Yahoo, AOL, Live, Hotmail, etc.).
- Password protection systems (LastPass, Dashlane, Keeper, Authentic8, etc.).
- Cloud storage (Box, Dropbox, Google Drive, OneDrive, etc.).
- Online bank accounts (And if your bank does not offer 2FA services, use the contact form on their website to say you want them to do so for your protection).
- Any social media accounts that you use for business or which are particularly important to you..
- Your website (Wordpress, Joomla, Drupal, or any CMS website with back-end access and/or a database).
- Your hosting and domain providers (GoDaddy, MediaTemple, Amazon Web Services, Rackspace, etc.)
- Cloud-based business services (Quickbooks Online, Salesforce, etc.)
You can certainly protect more than these, but at a minimum you should use additional security to protect your money and your business interests.
How do I start the process?
A good place to start is with Facebook or Twitter. Most people have at least one of those, and both sites use text message authentication. Once you set up your first account, the whole concept will make more sense to you. Here are links to step-by-step instructions for each:
For all other sites, just google “instructions to turn on 2FA in XXXXXXX” and you’re likely to find what you’re looking for. I wish I could be more helpful on this point, but with so many different sites to choose from and so many different approaches, being more specific would make for a very long blog post!
When you use 2-Factor Authentication it does take a few more seconds to access your protected accounts. But you quickly get used to grabbing the additional code from your mobile device, and saving yourself from just one hack will more than compensate for the few extra seconds of security. The internet keeps evolving and so must we. Right now, your best bet for protecting yourself online (in addition to good password behavior and hygiene) is 2-Factor Authentication.
**************************************************
Update 2020-7-29
A reader requested an update on this article, after realizing it was five years old. In truth, very little about using 2FA has changed since 2015. The encryption and coding behind it have been hardened, but as users, things function largely the same way.
One way in which 2FA is changing is that some software systems - notably Google, Dropbox, and Amazon - are using push inquiries to their mobile apps now instead of sending a code through text. For example: If you are logging in to Dropbox on your desktop, instead of sending a text message, if you have the Dropbox App installed on your mobile device, they push a question to your app asking, "Are you trying to log in from such-and-such computer right now?" And you have the option to press "Yes" or "No."
But text authentication is still the dominant mode as of this date.