How to Secure Your Accounts Using Two-Factor Authentication
You've probably heard a security specialist talking about the benefits of Two-Factor Authentication. The problem with specialists is that while all of them are very good at what they do, they sometimes struggle to explain how or why they do it. As a result, you might be a bit confused about what Two-Factor Authentication (abbreviated as 2FA) really is. Let's try to clear up some of that confusion.
What is Two-Factor Authentication?
What do you need if you want to withdraw some cash from an ATM? You need to have a banking card, and you need to know your PIN number. This is a brilliantly simple example of a 2FA system. It's an authentication system that will only let you in if you present something you have (your banking card) and something you know (your PIN number).
What do I have and what do I know in the online world?
With online accounts, things are marginally different. The traditional single-factor authentication system relies only on a thing you know – the username and password combination for the specific account. If Two-Factor Authentication is available, and if it's on, you obviously need to have something. Depending on the shape it comes in, we can classify two types of online Two-Factor Authentication.
2FA based on hardware tokens
Obviously, your computer isn't an ATM, and chances are, there's no slot where you can insert a device similar to your banking card. Your computer does have USB ports, though, which some of the so-called 2FA hardware tokens use. They work by exchanging cryptographic keys with the online service in order to facilitate the authentication. Other hardware tokens are simpler. They generate a One Time Password (OTP) every 30 or 60 seconds which you need to enter when you're going through the 2FA system. They all look like USB thumb drives and can easily reside in your pocket or purse.
2FA not based on hardware tokens
Hardware tokens do have their shortcomings. They can, for example, be lost. What's more, often, they are not the most convenient thing to use, and yet, they cost money. Users don't like paying money for things that inconvenience them which is why there's an alternative way of setting up a Two-Factor Authentication system.
Usually, it relies solely on One Time Passwords that expire after a short period of time. These passwords can be generated by the service provider and sent via email or text message to the user, but they can also be created on the user's smartphone by a dedicated application. Again, you need to manually enter the OTP, which could be a minor inconvenience, but in most cases, it won't cost you a penny which could be considered an advantage.
2FA and the adoption problem
Sadly, because most people view Two-Factor Authentication as something that puts an additional burden on the login process, most people simply don't bother with it, and the adoption rates are abysmally low. Another factor contributing to this is the low level of awareness as well as some overly paranoid people who keep pointing out that 2FA is not 100% secure. Here's a counter-argument.
2FA is not a magic bullet
No, Two-Factor Authentication is not 100% secure. People have had their One Time Passwords phished, and even some hardware tokens have shown vulnerabilities in the past. This doesn't mean that you shouldn't use 2FA, though.
You are better off with it than without it. It's an additional layer of security, and while it won't necessarily make the crooks' job impossible, it will make it harder, and that's surely something you should strive for, even if it does cost you several additional seconds when you're logging in to your account.
With that out of the way, it's time to see how to set up Two-Factor Authentication at some of the world's most popular websites.
- Make sure you're logged in to your Facebook account and go to your Security and Login Settings
- Locate the Use two-factor authentication link and click Edit.
- Choose the 2FA method you'd like to use. Facebook gives you several options:
- Codes sent over SMS
- Codes generated by Facebook's own Code Generator
- Hardware tokens
- Third party code generators
- Allowing the login attempt from a device Facebook recognizes
- Using a set of recovery codes that you can print
- Sign in to your Google account and visit the My Account Page
- Locate the 2-Step Verification section and click on it.
- Click Get Started, enter your Google Password, and choose the method you'd like to use. Like Facebook, Google gives you several options:
- Google's own Prompt system which lets you authorize the login attempt with a tap on your smartphone.
- Codes relayed to you over SMS or voice call.
- An authentication application on your smartphone.
- Log in to your account, click your profile picture in the top-right corner, and select Settings and Privacy
- Click Set up login verification and enter your Twitter password.
- Enter your phone number and confirm it by providing the code that you'll receive as a text message. Even if you decide not to use the SMS-based 2FA, having your phone associated with your Twitter account can help you recover access to your profile in case something goes wrong.
- Once Twitter has your phone number, it will let you choose from a couple of other means of getting the verification codes. You can do it from Twitter's
own mobile app, or you can use a third-party one.
- Log in to your Reddit account and go to the password/email tab on the Preferences page.
- Under Two-factor authentication, select Enable and follow the steps. Unlike the rest of the services listed above, Reddit's 2FA system supports only third-party authentication apps.
As you can see, in most cases, turning it 2FA on is not difficult, and you really have no excuse for keeping it disabled.