It feels like every week we see dozens of stories in the news concerning accounts that have been hacked. We have seen hacks including Kylie Jenner’s Snapchat, Ariana Grande’s Instagram, 1 billion Yahoo accounts, McDonald’s Twitter account, and much more. Many of these hacks could have been avoided had the user enabled two-factor authentication.
What Is Two Factor Authentication?
Two-factor authentication, sometimes called “2Fa”, “TFA”, and “Two-step”, is the process of allowing a user to log in or authenticate using a second form of authentication. This second form is usually something you have such as a phone or hardware key which I’ll go over shortly.
While two-factor is growing in usage, the idea behind it has actually been around for many years. In fact, when you try to make a purchase with your debit or credit card, occasionally sites will ask for the billing zip code as well. This would be an example of a second form of authentication. In the CNET’s Two-Factor Authentication FAQ, they jokingly list two-factor as being “Older than life itself.”.
Using two-factor authentication on any of the sites or apps that you use adds an additional layer of security to your account making it much more difficult for a hacker to successfully get into your account. With two-factor enabled, if a hacker were to get your username and password, it would not be enough for the hacker to get in. The hacker would need to have your second form of authentication as well.
Even though this is an extremely useful tool to use, many sites and services do not try hard enough to educate their users about this process. In fact, it is estimated that less than 10% of Google users have two-factor authentication turned on for their account.
The Different Methods
Two-factor authentication is normally used to describe three different methods for getting a second form of authentication: hardware keys, time-based 6 digit authentication codes, and SMS codes.
The Verge refers to hardware keys as the “most secure form of two-factor”. Hardware keys are usually small items that you can carry with you which can be used to authenticate yourself. One of the most common versions is the Yubikey. Most hardware keys are small devices that can be inserted into the USB of your computer. After logging into your account, you would be prompted to insert the hardware key for the secondary authentication. Since keys now start at around $20, this is an affordable option. However, this will require you to carry this key with you to wherever you would be trying to log into your accounts.
6 Digit Auth Code
The most common form of TFA is the 6 digit authentication code. In most cases, you would have a secondary app or site that you use to generate these codes. Every time you log into a site, you would be asked for a 6 digit code. At that point, you can open an app to generate the code for you to enter. The most popular authenticator is Authy which has apps for iOS and Android as well as a Chrome extension. If you are using LastPass for your password manager, that service also has its own authenticator. Another alternative would be the Google Authenticator found in most app stores.
If there were a method for you to try to avoid, this would be it. While using two-factor authentication with SMS is much better than not having two-factor, the other two options are much more secure. If a hacker was trying to get into your accounts, they may be able to get access to your cell phone carrier. Once getting access, they could easily receive any SMS sent to you including ones that have codes to be used in two-factor authentication.
For example, there was a major hack recently because Telegram was sending SMS for verification which was intercepted by hackers. The National Institute of Standard and Technology (NIST) recently updated its Digital Identity Guidelines to remove their recommendation for using SMS for one-time passcodes. Of course, this is still better than nothing. So, if the only option for two-factor was SMS, I still recommend using it but would ask (or bug) the company’s support to plan on allowing for the 6 digit auth code method above.
To get started with two-factor, log into one of your accounts to see if that has an option for two-factor authentication. You can refer to https://twofactorauth.org/ to check which site has two-factor and then tweet or post to one that hasn’t added the option yet. In most sites, such as Google, Facebook, Twitter, and more, you can find the two-factor option in the account or security options. For example, you will find Facebook’s two-factor setting (pictured below) in the “Security and Login” section of the settings.
The next steps will depend on the site but it usually involves turning on the option and then entering in a code that you are sent through SMS or copied from your authenticator app depending on which method is available in that service.
If This Is So Important, Why Are So Few People Using It?
After reading about TFA, you may be wondering why more people are not using it. A study from the University of Phoenix found that 52% of adults were willing to overlook risks in cybersecurity for the sake of convenience. Since it is quicker to log into sites without using TFA, many users choose not to enable this. In another study by TeleSign, it was found that 72% of users want a secondary form of security but only 20% turned on TFA after a hack.52% of adults are willing to overlook security risks for convenience. Using TFA should be a must! Click To Tweet
However, many users do not follow the best password practices. For example, nearly 71% of accounts had passwords that were the same as the user’s accounts on other sites. This is even higher in millennials who SecureAuth found that 92% reuse the same password. While it may be slightly inconvenient to use TFA, it should be something everyone considers. At least until something better comes along.