Today's #TipTuesday is a topic that likely needs multiple posts to handle it properly. As I write this, it's already long before I even get into examples and "how to" on common sites so this will be a mini-series in my #TipTuesday series (a series within a series?!). Long story short: with all of the data breaches and hacks out there, the best thing a user can do to protect their logins is to turn on Two Factor Authentication (2FA). There are multiple names for this and multiple acronyms most of which generally have the same or similar meanings. (The other most common term is MFA (multi-factor authentication).)
What is it?
I would hope most people have at least heard of this before, it's a "secondary" authentication method for logging in to some site whether that is an email account online, Facebook, Twitter or any website that requires a login and password.
The secondary factor part is typically inputting some verification code via another device. The theory is it's authenticating that I am who I say via something I know (my password) + something I have (another device). Theoretically, that will reduce the risk of someone hacking into my account because they might find or guess my password, but they won't likely have the second (factor) device with them. It's not foolproof but enabling it makes hacking an account a lot harder.
Not every website offers this feature, but it's getting to the point where most major ones do offer at least one method of 2FA/MFA. The most basic option most sites offer is a text-based verification code. Detractors will say this is a horrible system, but honestly, it's better than nothing at all. The odds of someone hacking a password, particularly if they are not using a password manager, are relatively high. The odds of the same person also having your cell phone? Probably not as high.
In an Accounting department, having a token system for corporate banking logins is a perfect example of a 2FA system. Most personal websites don't use external tokens like that exactly, but many offer similar options via mobile apps.
Where to enable it
Anywhere it’s offered! Seriously, if a site offers a 2FA/MFA option, I turn it on.
- Banking sites, if they offer it, are a no-brainer.
- Email accounts FOR SURE. Think about every password reset feature ever: they send a reset link to my email account. Protect email accounts with as much security as possible, like long random passwords and 2FA or MFA if they offer it.
- The other group of things where I am especially cautious are social media sites one can use as a login method to another unrelated website. Many sites allow users to "sign up" for them using their social media accounts. That means users should want to protect their social media accounts from unauthorized logins too.
I will never use a social media account to log into another site. I use a password manager religiously (a topic for another day), I use random passwords for every site I can, and I don't reuse the same password on any one site. If a site gets hacked, I'd be pretty confident that my login + password combination cannot be used on any other site. Can I still get hacked? Sure I can, but I'm making it harder for whoever does by using random passwords and 2FA/MFA where I can.
If I’m going to use a social media account as the login for another unrelated site, make sure that the social media account has some kind of 2FA/MFA on it. Facebook just got hacked and those who were part of that hack, that would mean they could also access any of those other sites with the same credentials. Of course, Facebook also recently was in the news because if 2FA is enabled on their site, they're selling that information to advertisers. I'd still have 2FA enabled.
If a site doesn't have the option for MFA/2FA, but has any kind of "login alert" option, enable that, which at least would alert me to a recent login I may or may not have made myself. It's slightly better than nothing.
How does it work?
Typically, once I enable a 2FA/MFA option on a website, the next time I log into that website after I enter my login and password, I'll be prompted to enter a code or validate my identity via some app on my phone. Most sites have a "remember me for X days" type of option so that I don't have to do this every day.
Code-based authentication has different methods of delivery but the result usually is a 6-digit or 8-digit numeric code a user types into the site as their 2FA method. Delivery is often via SMS/text message but also could be via an app on a phone. During setup on the website that offers 2FA/MFA, "configure" that account with an app or with a phone number and then after that they are linked (so to speak). On login, the website login process triggers an authentication request that is pushed to that app or phone to respond. Most times there is a limited amount of time to respond, 30 seconds to 5 minutes before the code "expires" if it isn’t typed in right away (this varies by site).
I currently have 4 "authentication" apps on my phone because we use 1 app at work, many Microsoft sites use their own Microsoft Authenticator app, my password manager has its app and I use a third-party one for sites where I have a choice of app. In the end, all of them do the same basic thing. If I had a choice, I would use 1 app but it doesn't always work out that way. Some of the sites require me to type in a code from my authentication app or text message, and some simply need me to approve via a pop-up message from the app itself on my phone. Either way, it delays logging into a site by a handful of seconds at most.
Backup Codes
On certain sites, when setting up 2FA/MFA, the site may also provide a set of "backup codes". This may be called something different on different sites, but essentially these are codes to use if the 2FA/MFA device isn’t available or if I can't get access to my device for some reason. The theory behind backup codes is if I am somewhere without my phone, or without cellular access perhaps (in the case of SMS if I were travelling for instance), or I lose my phone and have to log into a site, any of the backup codes would work as the verification method to get logged into the website.
The hardest part for me is where to keep those. I’m curious about where other people save their backup codes. Do you print them physically? I tend to store mine in a Dropbox/OneDrive type of account but I'm working under the very big assumption that if I lose my phone, I will have access to that in a pinch (and THAT account isn't the website I'm trying to authenticate into at the moment). That's a risk. On some high-profile accounts, I may copy some of those backup codes to other places on my phone or tablet that don't require a login - like a Notes app. I've got over a dozen sets of backup/recovery codes stored by site name in case I need them. I've yet to have to use them.
Sounds complicated!
Yes, it does, and it can be a pain in the a** for a little while until you get used to it. I recommend trying 2FA/MFA on one thing first to get the hang of it, like the email account I use most often for logging into websites. If I use multiple devices (say a computer, cell phone and iPad or tablet), I would feel like I’m going insane the first time I switch an account over to 2FA because I'll likely have to authenticate again for all the places where I log in. Once you get used to it, it becomes normal.
There are little irritations from using it like you'll learn to never charge your phone in another room when you sit down at your computer to do some surfing. :)
In all seriousness though, I can't imagine not using any 2FA/MFA on my key sites. In my next #TipTuesday post (one or more, to be determined!), I'll start to walk through how to set up 2FA/MFA on some common sites and services like Office 365, Gmail, LinkedIn, Facebook, Twitter etc.