In a previous post, we talked about password security and how important it is in today's ever-connected world. However, as strong as someone might make a password, it could still be at risk.
Thankfully, there's a better way to make sure your login credentials are as secure as possible: two-factor authentication. Here's everything you need to get started using it and improve security today.
Why a Strong Password Might Not Be Enough
Long, complex passwords are always better than short passwords that only consist of simple words. Unfortunately, even if you have an amazing password, it's still possible for it to be stolen. Every so often, companies like Adobe, Time Warner, and Amazon report security breaches that end in their users' passwords being exposed. This means that even if you have a strong password, it falls into the hands of someone who can abuse it.
It's not just breaches, either — if you fall for a phishing scam and hand your password over to someone, or keylogging software on your computer captures your login credentials, the strength of your password won't matter much.
Introducing Two-Factor Authentication
Two-factor authentication (2FA), also called two-step authentication, supplements passwords by requiring something you know (your password) and something you have (usually your phone) to log in. This way, even if someone gets hold of your password, they'd need your phone to log into your account.
The second factor of authentication varies. For most sites, it's a text message sent to your phone or a randomly generated code from an authentication app. If you don't have a cell phone, some sites also allow you to use physical security keys, although these are probably more trouble than they're worth.
Many sites (such as Google) that offer 2FA allow you to remember a computer and bypass this step in the future for convenience. This means it's easier to sign into your personal computer, but still protects you from attacks because the code is required on every other computer.
Where Can I Use Two-Factor Authentication?
Not every site supports 2FA, but the list is growing all the time. The site Two Factor Auth List is an awesome resource for keeping track of who supports the feature, and how they do it. You'll see that most sites support test messaging or authentication apps (referred to as "software token" on this page). It's rare for a site to use a phone call for 2FA, but some do support that option.
So Instagram has two-factor authentication, yet my bank doesn't... #facepalm.
— Jamie Haggett (@jhaggett) February 17, 2016
Lots of key services support 2FA — it's most important to enable it on your email and password manager sites — but you'd be surprised at how many sites don't offer an option for two-factor authentication. Hopefully this feature becomes more standard as time goes on.
You're best off using a dedicated app for two-factor authentication; text messages are a decent option, but you can't receive them if you don't have cell reception. 2FA apps work anytime, even if your phone is in airplane mode. Google recommends their Google Authenticator app, but we like Authy better.
The problem with Google Authenticator is that there's no way to back it up — meaning when you get a new phone, it's a pain to port all of your information from Google Authenticator to a new device. Authy allows you to share your account among as many devices as you like, meaning that you have more than one way to access your accounts. With Authy, if you lose your phone, you can easily deactivate that device from another one and add a new phone in seconds.
In addition, Authy also provides their service via a Chrome browser extension, which gives you more flexibility.
There are a few things to know when activating two-factor authentication. Most sites will provide you with emergency backup codes when you activate the function, and you should print these off and keep them somewhere safe.
If you were to lose your device, you could log in with one of those codes instead; they prevent you from being locked out of your account in the event of emergency. Again, Authy will help prevent this issue because you can sync your account on several devices; if you have a tablet or old phone, throw Authy on there and you can use that in case you lose your main phone.
Second, 2FA might prevent login from working correctly when singing in on third-party services (such as using Facebook to log into Spotify, or signing into Chrome sync with your Google account). Not to fear, because you'll be provided with a way to generate one-time codes to sign into these services. It's an extra step once in a while, but it's worth it for the huge boost in security.
As we've seen, two-factor authentication is a vital way to protect your security. As strong as your password might be, you'll have even greater peace of mind knowing that someone can't break into your account without having the phone that's in your pocket. Since most people have their phones on them all day, why not use them in a way that keeps you safe?
Do you think you'll start using two-factor authentication to protect your accounts? What other methods do you use to improve security? If you have questions about two-factor authentication, let us know!