Two-factor authentication (2FA) is touted as the best way to secure your accounts. But a lot of people that suggest it, don’t explain what it is, or why you should use it to increase your account security.
What is 2FA?
Traditionally you use a username and a password to sign in to accounts. It should generally be assumed that your username is public, but your password should be private. The key-words here are “should be”. There are plenty of ways your password can be compromised. For example, if you’ve chosen a weak password, a hacker could just guess it. If you’ve reused a password across multiple sites and one of them gets hacked, your password for all the sites you reused it on is now compromised. You could even fall for a phishing scam and simply hand your password over.
While you can reduce the risk of these issues, you can never completely protect yourself. The solution to that is to use 2FA.
2FA is an option that some devices, websites and other platforms offer that requires a second form of proof of identity to sign in to your account.
Something you know and something you have
The primary concept of 2FA is to make it more difficult to compromise all the data needed to get into your account. If the second factor was just another password, it would likely have exactly the same issue as using one password.
Instead, the general consensus in the security industry is that the second factor should be related to something you have. There is a range of options, such as biometrics, RFID card, USB security key, key code generator, text-based and app-based notifications.
While you can unwittingly give up the information you know, such as a password, it’s much harder for a hacker to gain access to a physical item.
While not all devices or websites will accept all methods of 2FA, any of them is generally better than not having 2FA at all.
Tip: There is a security risk with SMS based 2FA. An attack called “Sim Swapping” can be performed by hackers who have access to the mobile phone network. In this attack they redirect the 2FA text to a phone they control, allowing them access. In general SMS based 2FA is still better than not using 2FA at all but other choices are likely to be more secure where available.