Why Should I Enable Two-Factor Authentication (2FA)
With standard security procedures (especially online) only requiring a simple username and password it has become increasingly easy for criminals to gain access to a user's private data such as personal and financial details and then use that information to commit fraudulent acts, generally of a financial nature.
Two-factor authentication (or “2FA”) is a way to let a user identify him or herself to a service provider by requiring a combination of two different authentication methods. These may be something that the user knows (like a password or PIN), something that the user possesses (like a hardware token or mobile phone), or something that is attached to or inseparable from the user (like their fingerprints).
Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that person's personal data or identity.
Several online services—including Facebook, Google, and Twitter—offer 2FA as an alternative to password-only authentication. If you enable this feature you’ll be prompted for both a password and a secondary method of authentication. This second method is typically either a one-time code sent by SMS or a one-time code generated by a dedicated mobile app that stores a secret (such as Google Authenticator, Duo Mobile, the Facebook app, or Clef). In either case, the second factor is your mobile phone, something you (normally) possess. Some websites (including Google) also support single-use backup codes, which can be downloaded, printed on paper, and stored in a safe location as an additional backup. Once you’ve opted-in to using 2FA, you’ll need to enter your password and a one-time code from your phone to access your account.
Although 2FA offers a more secure means of authentication, there is an increased risk of getting locked out of your account if, for example, you misplace or lose your phone, change your SIM card, or travel to a country without turning on roaming. Many 2FA services provide a short list of single-use “backup” or “recovery” codes. Each code works exactly once to log in to your account, and is no longer usable thereafter. If you are worried about losing access to your phone or other authentication device, print out and carry these codes with you. They'll still work as “something you have,” as long as you only make one copy, and keep it close. Remember to keep the codes secure and ensure that no one else sees them or has access to them at any time. If you use or lose your backup codes, you can generate a new list next time you’re able to log in to your account.
Another issue with 2FA frameworks that utilization SMS messages is that SMS informing isn't that safe. It's possible for a sophisticated attacker who has access to the phone network (such as an intelligence agency or an organized crime operation) to intercept and use the codes that are sent by SMS. There have also been cases where a less sophisticated attacker (such as an individual) has managed to forward calls or text messages intended for one number to his or her own, or accessed telephone company services that show text messages sent to a phone number without needing to have the phone.
If you're worried about this level of attack, turn off SMS authentication, and only use authenticator apps like Google Authenticator or Authy. Unfortunately this option is not available with every 2FA-enabled service.
Finally, research has shown that some users will choose weaker passwords after enabling 2FA, feeling that the second factor is keeping them secure. Make sure to still choose a strong password even after enabling 2FA.
Did you find this tutorial helpful? Don’t forget to share your views with us.