Two-Factor Authentication for Beginners
Passwords are the brittle wall that keep unwanted visitors out of your accounts. When it comes to account protection, two-factor authentication is one of the most effective defenses available.
Two-factor authentication (or 2FA, for short) strengthens login security by requiring a second piece of information — a second factor beyond your password. The second piece of information is usually a temporary code delivered by a device in your possession, such as your phone. It may also be something on your body, such as a fingerprint.
You might hear it referred to by a variety of names (e.g., multi-factor authentication, 2-step verification), but we’re going to stick with 2FA.
Why you should use 2FA
When large-scale password breaches happen — and they happen a lot — credentials are often sold and swapped in online marketplaces and hacking forums. Some attackers break into accounts for entertainment, and some, for a payday. It’s typically not personal. In rare circumstances, attackers have a specific group or person in their crosshairs.
Email accounts generally give attackers the most value. Why? You use your email to recover other web accounts.
Here are a few different ways your account is most likely to get hijacked.
- Attackers will guess short or predictable passwords.
- After a large-scale password breach, some attackers will use automated scripts to try logging in to multiple websites with the same hacked credentials, just in case you reuse passwords on multiple accounts.
- Attackers will craft fake phishing pages to trick you into divulging your credentials. How? They’ll usually send an email that seems to come from a trusted source (e.g., Twitter), directing you to an ordinary-looking login page for a real site you trust, but the site is a bogus one under their control. This is why it’s important to look closely at the sender field, as well as the URL for the login page. You can learn more about phishing here.
- Spear phishing is targeted phishing. Typically the attacker will do their homework, gathering publicly available information (e.g., social media, public records) to create a good pretext for the phishing email. They may impersonate a friend or colleague direct you to a forged login page. This is how the Washington Post’s website got hijacked in 2013.
These are common attacks that affect all email services. Enable 2FA everywhere you can, but especially on your email. Check if your favorite service supports it on Twofactorauth.org, and look for step-by-step guides on TurnOn2FA.com. Let’s walk through a few ways to use it.
There are a few simple, widely supported approaches for adding 2FA to your accounts. There’s not one “right” way to use it, and each has unique considerations for security and convenience.
A pretty good option: SMS text messages
When setting up 2FA, most services allow you to use regular old text messages. When logging in, you will receive a short confirmation code on your mobile device. When prompted during login, enter your code.
Text messages are a painless way to access 2FA codes, but are only as reliable as the phone network. For example, if you lose network access or travel outside the country, you might not be able to receive the messages.
Here’s a great example. An attacker broke into the Twitter and email accounts of a prominent Black Lives Matter activist, Deray McKesson, by convincing Verizon to redirect his phone messages to a new SIM card on a remote device. This allowed the attacker to intercept his 2FA messages. If you own the phone number, you get the 2FA messages.
That sounds scary, but remember the real story here: The attacker was forced to work much harder than if they had simply entered a password.
It’s easy to prevent this kind of attack. Compared to SMS messages, authenticator apps are a little more convenient, and a lot more secure.
Better option: Authentication apps
Some services allow you to receive your temporary login code from a mobile app. There are many options to choose from, such as Google Authenticator, Authy, Duo Mobile, and others.
Some web services let you attach multiple authentication apps to the same account, which can be incredibly helpful for getting login codes when multiple people need access. Authenticator apps are also great because they work when you don’t have access to your phone network (e.g., when traveling internationally).
Unlike SMS messages, authenticator apps can’t be intercepted on the phone network, making apps a hardened option. When possible, consider an authenticator app over SMS.
But, just like passwords can be entered in a fraudulent website to steal your login information, authenticator codes can also be entered in a phony website. So we can do even better.
Best option: Security keys
Right now, security keys are one of the most secure and efficient ways to use 2FA. A security key is a physical USB device you can use to authenticate into your account.
When prompted to provide your 2FA credentials, instead of typing in a code, you simply insert your security key and physically tap it when prompted during login. That’s all. Security keys are fairly resistant to phishing attacks, making them one of the best options available. Unlike code-based 2FA, phishing sites don’t have a great way to intercept information from security keys.
The main problem with Yubikeys is that as soon as you try one, you’ll want to use them everywhere. And they can’t be used everywhere yet.
Security keys are not yet as well supported as authenticator apps, but the standard is getting traction on large websites. It can be used to log into Google, Facebook, Dropbox, and other services.
Right now, using security keys to log into most websites requires browser support, and the Yubikey works with Opera, Firefox, and Google Chrome. (Full disclosure: I work with Google Chrome as a researcher.) Many other popular browsers are working to integrate support for Yubikeys and similar authentication devices.
So just to recap, here are our three options:
Use whichever 2FA method is available and practical for you. SMS-based 2FA is a worthwhile upgrade, but when possible, consider using authentication apps or security keys.
Let’s turn on 2FA!
We can set up 2FA in minutes. For example, let’s look at how to set it up for Gmail.
First, find the setup page.
Account icon (top right) > My Account > Sign-in & security > Signing in to Google > 2-Step Verification > Get started
First, you must register the device. Punch in your phone number. You’ll be sent a confirmation code on your mobile device, which you will enter on the registration page. If you prefer not to use your phone number, we can always remove it later.
After registering your device, you can use 2FA codes through SMS text messages.
For a more secure way to use 2FA, let’s activate the authenticator app.
On the 2-step verification page, scroll down to “Authenticator app” and click “Set up.” To register a new service in the app, you will be asked to scan a barcode that appears on your screen. Scan the barcode with your phone’s camera. After the code appears in your app, type the code into the setup prompt.
If you have an authenticator app, there’s no need to use SMS text messages any more. (And like we said earlier, SMS 2FA comes with some risks we can easily avoid by only using an authenticator app.) Whenever possible, consider removing 2FA through SMS text messages after you set up an authenticator app.
First, purchase a security key, such as a Yubikey. You can find one for $20.
They’re easy to set up!
Scroll down to “Security keys” and click “Add security key.” When prompted, insert the key into the USB port, and physically tap it.
Afterward, you can name your newly-registered device. During log in, instead of typing in a 2FA code, now you can just insert and tap the key.
If you already have authenticator apps or security keys set up, you probably don’t need SMS any more. If it’s not necessary, consider removing your phone number.
Scroll to “Voice or text message” and click the pencil icon, and then click “Remove phone.”
Some laptops (e.g., the Macbooks 2016 and beyond) only have USB Type-C ports. If you can’t use a traditional USB 2.0 or 3.0 port, you can still use security keys with a USB Type-C adapter. Here’s a short list of Type-C adapters that are confirmed to work.
It’s a little more expensive to purchase Type-C Yubikeys.
Whenever you can, use backup codes
Even if we lose our security key and authenticator app, we can still avoid locking ourselves out by using backup codes. Scroll down to “Backup codes” and click “set up.”
You will see a series of numeric codes. Print these out, because if you are ever locked out of your account, you will need one of these codes to get back in. Keep these codes someplace where you can physically access them.
Does your favorite service offer 2FA? Drop by Twofactorauth.org to find out. You can also check out Turn It On for step-by-step guides on each service you want to secure. If your service doesn’t yet offer 2FA, consider prodding the organization to support it.
Don’t stop here. Alongside turning on 2FA, strong password habits can go a long way to make your accounts safer. Want to learn more? Read about how to protect your accounts using password managers, for beginners.