Two-factor authentication (2FA) is a security method which can be applied to your online accounts. Think of 2FA as an extra step to your log-in process.
It helps ensure your online portals are protected against security threats trying to crack your passwords. 2FA adds a physical element to security.
In simple terms, when you enable 2FA, an app on your mobile phone gives you a second password (usually in the form of a 6-digit number that typically resets every 30 seconds) to enter after you input your first password.
By enabling 2FA you are adding a second layer of security to your password management, significantly reducing the risk of being compromised by a bad actor.
When you create a new account with an online platform (like your bank or social media account) that supports 2FA, the platform will give you an option to generate a unique QR code to scan through your 2FA app (typically on a mobile or dedicated hardware device), this app will then ‘pair’ your new account with a unique security key that you are required to store or backup (typically in a notebook or somewhere secure).
Once your new account has been paired and verified with your 2FA app, you have activated 2FA. Once paired, the 2FA app generates a new 6-digit numeric code (typically) every 30 seconds. The next time you go to log into your account on the online platform, you will also be asked to open your 2FA app and enter the latest generated 6-digit numeric code in order to access your account.
In this way, if a hacker were to be able to guess, steal or compromise your password, they would still need to have access to your 2FA app on a separate device in order to gain access to your account, making it far more difficult for them to do so.
2FA can be set up using a few different methods. Some are more secure than others.
The most common type of 2FA method uses a dedicated mobile phone app. Broadly speaking, dedicated mobile apps are seen as a moderately strong 2FA method.
Another method 2FA works through is SMS. This is generally seen as a weaker 2FA method because of the risk of a SIM swap attack. (A SIM swap attack involves the attacker convincing the victim’s cellular carrier into switching their mobile phone number to a new device.)
The strongest 2FA method involves the use of a hardware token. Usually, this token is the size of a USB data drive and can fit onto a keyring.
2FA is important because your usernames and passwords can be guessed or compromised—especially if your password strength is weak. Your log-in details can also be stolen if your computer gets hacked. Or maybe you use the same password for multiple logins? Meaning if hackers get one password, they can guess your other logins. With 2FA, you have an extra level of log-in security.
Many cryptocurrency exchanges require you to use 2FA as part of your log-in process and the use of 2FA is considered industry standard these days.
If your mobile device with the 2FA app is secured via biometrics such as fingerprint security, you’re the only one who can access the 2FA code. This is a powerful security feature because a hacker on the other side of the world would have to physically take possession of your mobile device. They’d also have to unlock your device to successfully authenticate into the online portal that you have 2FA enabled on.
To enable 2FA, there are a few key steps you need to follow. Firstly, you need to install a 2FA mobile app—such as the ones listed below.
Once opened on your mobile, you can then log-in to the online portal (such as an online bank account, cryptocurrency exchange, etc) that you want to enable 2FA on. You can normally enable 2FA through the portal’s account or security settings.
Simply create a new 2FA setup within the online portal, using your mobile app and scanning the QR code to create the pairing. Before the pairing can be finished, you’ll need to confirm the 6-digit 2FA code by entering it in.
An important step when creating a 2FA pair is to safely and securely back up the 2FA secret key. If you lose or change mobile phones, you’ll need this key so you can copy the pairing across to your new phone.
If you don’t back up this security key and you lose access to your 2FA app, you’ll need to go through a lengthy process of contacting the online portal and verifying your identity in order to be able to disable your 2FA pairing.
Twilio Authy is a popular 2FA app. Known for its simple software design, Twilio Authy has several options when it comes to backup and it can configure multiple devices. It’s compatible on various operating systems including iOS, Android, Windows, Mac OS, BlackBerry and Linux.
Google Authenticator is another popular 2FA app known for its simple-to-use design. Google Authenticator has high-quality backup and restore features, allowing for quick restoration of existing 2FA pairings; particularly handy if you switch or lose your phone. The app is only available on mobile devices.
Compared to the above 2, Duo Mobile is a more powerful system of security which brings in elements of team management and sharing of 2FA pairings. It is these features that make Duo Mobile particularly useful for remote teams. It comes with advanced reporting and compliance capabilities. Note, Duo Mobile is a paid service.
The Yubikey hardware device allows you to automatically enter 2FA credentials into the websites you visit. You do this by tapping on the device which is plugged into your computer’s USB port.
Yubikey can be used to confirm your identity when logging on to your laptop or computer, making it impossible for your data to be stolen unless the Yubikey device is present. Given its advanced security features and usability, the price of a Yubikey is rather inexpensive.