Using just a password isn’t secure anymore
Advances in technology has made it quicker and easier than ever before for hackers to bruteforce passwords, phishing schemes have only gotten more sinister, and database breaches more prevalent. If there’s one thing we can take away from all of this, it’s that using just a password is not secure enough anymore. At least not on it’s own.
Even if you have a password manager setup (if not, please check out my post on password managers), it still might not be enough to keep your accounts safe. This is where multi-factor authentication comes into play.
Mutli-factor authentication, MFA, or Two Factor Authentication (if only two methods are used), 2FA, is the process of requiring two or more login methods to access an account. The most common example is being asked to enter a code received by text message after you already entered your account password.
Authentication methods can be broken down into three parts:
Something you know
A password, a pin number, a pattern. The most common method, it’s something you have committed to memory. It may seem like it’s the most secure, but in reality, it’s often not. If a malicious party figures it out, whether by guesswork (bruteforce) or observation (phishing, over-the-shoulder), they can access your account.
Something you have
The most common methods here are cell phones and security keys. Because you need physical access to the device in order to access an account protected by this method, it is by far the most secure. If properly configured, the only way a malicious party can access your account (generally speaking) is by actually stealing the device.
Something you are
Biometrics – fingerprints, voice, face and retina scans, all the cool spy movie stuff. The strength of this method is debatable. In some cases, it may actually be more insecure than something you know, as a malicious party can fool the scanner with a photograph. In others, it can be the most secure method by far, as only you can authenticate with this method. Because it usually requires a biometric scanner, this is usually the most expensive and complex to configure authentication method, and therefore is the least common.
Since most people are already familiar with the method of something you know (usually the first factor), and something you are isn’t always practical, I’m going to focus on something you have.
Using what you already have to protect yourself
If you own a smartphone, be it an Apple device or an Android, you already have the capability to set up two factor authentication right now. You can use SMS verification, however I strongly recommend using an authentication app instead. The two most popular two factor authentication apps are Authy and Google Authenticator, but many others exist.
To start, go to your account settings and look for the ability to turn on two factor authentication. Stuck? turnon2fa.com has a convenient search tool that will provide you with instructions for most major websites. SMS verification is pretty straight forward, so I will go over using an authentication app.
Once you get to your account settings, you will either be asked to scan a QR tag or enter a key on your phone. I highly encourage you to write this key down on paper and store it somewhere very safe, preferably in a locked fireproof container or a safety deposit box if possible. Open up the application, select your preference (it doesn’t matter, QR is more convenient but if you are accessing the account from the current device you will have to enter the copy and paste the key) and input the key. Afterwards you will be presented with a short 6 number code. You will typically have to enter this code back into your account settings in order to confirm that it works. And that’s it! You’re all set!
Whenever you want to access your account, you will be presented with a screen asking for the 6-digit code. Open the application on your device and enter the current code it displays for that account. This code will change every 30 seconds, so type quickly!
Keep in mind, if you lose the device or you do not have it on you, you will not be able to login to your account. Depending on the website, you may have to request an email sent to your account to confirm your identity, or call support in order to regain access to the account. This is why it is very important that you down the key every time you add an account. Treat the key like another password and never let it fall into the wrong hands.
If you want to go above and beyond to keep your account safe, I would highly recommend a physical token.
While authentication applications are a great way to keep your accounts safe, and are certainly good enough for most people, it’s hard to beat the security that a physical hardware token has. authentication applications are still software. They are prone to bugs and other issues, and yes, they can be hacked. Don’t fret, it’s unlikely someone will hack your authentication app, but if you are a big target and really need the extra security, or if you want to your cybersecurity game to the next level, a hardware token is even more secure.
Plenty of options exist, there are hardware tokens that use the FIDO U2F standard, and there are hardware tokens that use the same OATH TOTP/HOTP standards as the authentication applications, and are setup in the exact same method.
To set up a hardware token with OATH TOTP/HOTP, follow the same steps listed above for using an authentication application. The only difference, instead of opening an app on your phone, you will plug the hardware token into your computer and launch whatever software the token uses. If you are using a Yubico product, this will be the Yubikey Authenticator application.
FIDO U2F is a little bit different. At the time of this writing, U2F is only supported by a very limited amount of browsers and companies so I won’t go too far into detail. Instead of typing in codes, you will simply be asked to press a button on your device.
My personal recommendation is the Yubikey NEO. The NEO has support for both U2F and OATH TOTP/HOTP (uses Yubikey Autheneticator app), plus it can either be plugged into the USB port of your computer, or you can use NFC on your smartphone.
The more the merrier
There is no such thing as impenetrable. As long as a human element is involved there will always be a way in. Using multi-factor authentication only adds more hurdles, making it much more difficult for any malicious actors to access your private accounts and data. A password alone is not enough to keep your account safe as there are many ways it can be obtained. By setting up 2FA, your accounts will require hackers to obtain your code as well, a not-so-easy feat, making you much safer than those without it.