All about two-factor authentication

2Factors_authorization_icon(Quite) a while back, I wrote about getting serious about password management – with that under control, I wanted to write about the next step in personal data security – two-factor authentication (2FA).

What is 2FA?

Two-factor authentication is a process whereby, whenever you sign in to a site or service, you are not only required to input your password but to subsequently enter a numeric code provided to you on the fly, either via SMS or via a code generator app on your mobile device. This additional step helps to ensure that you are, in fact, you and not someone else who has gotten their hands on your password. Unless the culprit also has your mobile device, then 2FA serves as an extra layer of protection.

Why do I need it?

Everybody agrees and understands that utilizing passwords as a method of data security on the Internet is basically a broken concept – users don’t habitually create complex passwords, they use the same password for everything, they write down passwords in insecure places, they rely on easily-guessed passwords, etc. And now that data breaches have become so common, it’s increasingly easy for a hacker to obtain login info from a company and then attempt to apply that to OTHER common sites.

Unfortunately, technology hasn’t yet gotten us to a place where there is a way to safely secure all of your data using a unique-to-you, unobtrusive method. So, for now, we’re stuck with passwords. In light of that, it’s worth doing everything one can to ensure that a) the passwords you use are not easy to break and b) a broken password doesn’t lead to access to OTHER sensitive data.

Two-factor authentication adds an extra layer of security as, each time you sign in to an online service, you’re required to further authenticate yourself by providing a piece of info, sent to YOUR mobile device, on the fly.

How does it work?

There are two methods by which you can receive the code you’ll need to enter – most common is via SMS and, at present, most web sites offer this as their method of 2FA; in some instances, a verification email is used in place of SMS. But some of the larger sites (Google, Dropbox, Microsoft) offer the option of using an mobile authenticator app – this basically acts as a time-sensitive, random code generator, not dissimilar to the RSA SecurID tokens you may have seen in the past. Using an authenticator app has the advantage of a) being a nicer user experience, b) being more secure, as the code is no longer sent via insecure methods like SMS or email and c) you’re not using up your text message allocation.

Google has an authenticator app (iOS / Android), but I’ve been using Authy, a free app that looks better and integrates, via Bluetooth, to your desktop machine.

Whenever possible, I recommend opting for the authenticator app option. Why? Because if someone actually gets a hold of your phone and is using your credentials to access a website, a SMS message will be visible to them without even having to unlock the phone, whereas accessing the authenticator app still requires the ability to unlock your phone. Yes, this is a little paranoid/outside case scenario, but it’s also logical.

How do I get started?

Fortunately, there’s a web page out there that maintains a list of all web sites that offer 2FA and what methods are available. Simply visit twofactorauth.org and scan the page for any services you use, then follow the link for instructions on how to enable it for each site. If available, I always recommend using the authenticator app option. Unfortunately, many sites presently only offer 2FA via SMS, so that’ll have to do.

This sounds like a nuisance

Yeah. It is. But honestly, you get used to it very quickly and it’s not that big a deal. So get going – once you’ve got your passwords under control, take the next step and enable two-factor authentication and rest easy knowing that you’re data’s as secure as it can be!

BONUS
For those of you with a cell plan that limit the number of SMS messages you can receive on a monthly basis, consider setting yourself up with a Google Voice account – it’ll provide you with a real phone number that you can tie to your mobile phone – using that number instead of your mobile number dodges the hit to your SMS allocation.

Leave a Reply

Your email address will not be published. Required fields are marked *