What is two/multi-factor authentication and why should you turn it on?

A rare delve into ‘security’ for this publication!

Photo by Ed Hardie on Unsplash

Today, we’re going to wet our feet with a little security, which certainly helps with privacy, but they are not the same thing. I generally avoid the topic of security in this newsletter, but I think this one is such an easy win to protect your accounts that we’re just gonna do it anyways!

On a side note — I’m not much of an advertiser, so if you’ve been enjoying this series, would you mind sharing it with someone you think would be interested or find value in it? Thanks! You can also subscribe to the newsletter on Substack!

What is Two/Multi-Factor Authentication (2FA/MFA)?

Naming-wise, I’m using these somewhat interchangeably. I think 2FA is more commonly seen in website security settings, so I’m defaulting to that, but the concept is the same.

So here’s the deal. You have a username and a password — we all know about these. Now, if, for whatever reason, your username and password find their way into the wrong hands, anyone can sign in with those credentials.

Two-factor authentication means the person trying to access your account would need an additional code to get in, which hopefully only YOU would have access to. The most common form of this is when you receive a text message with a code (usually just numbers) in it that you need to enter AFTER you’ve entered your username and password.

Forms of 2FA

Text Messages: Good

This is the most common but the least secure form of 2FA. Basically, you give them your phone number, and they send you a text with an additional code to be entered when you log in.

Pros

• It’s easy to set up and use — you usually get a text message immediately and just enter the code you received.

Cons

• Text message security sucks, these can be intercepted.
• Requires you to have cell phone service to receive the text message.
• Pain in the butt if your phone number changes (or you use burner phones).
• Can be easily phished (you might be directed to a fake version of a website, log in with your credentials, enter your auth code, and all those are captured by the fake site to be used by them on the real site).

Authenticator Apps: Best for Most Users

A better option is to use an authenticator app. An authenticator app creates a continuous stream of timed codes that you enter after you enter your username and password (kinda like the text message, but you already have the codes on your phone).

There are a few authenticator app options, but the best one I’ve used is Google Authenticator (Android, iPhone). I’ve tried a few, but after a debacle of moving from Android to iPhone using the DuoMobile authenticator app, I’m back to fully recommending Google Authenticator. I’ve also heard good things about Authy (Android, iPhone), but I haven’t personally used it.

Pros

• Much more secure than text messages.
• Doesn’t require cell phone service to work.

Cons

• It can be a little clunky when you have to switch apps to get the code.
• Also switching to a new device isn’t always straightforward I’ve learned, but that’s partly dependent on the app you choose.
• Can still be phished (but in this case, at least there’s a shortened time period for them to use the code, usually under 30 seconds).

Physical Key: Best for Maximum Security

If you care GREATLY about your account security, this is the choice for you. It’s not possible to intercept or get into an account unless you have the physical device. Basically, it’s a USB key that you plug into your device that doesn’t require any authentication codes. Some of these have the capability to work through NFC or Bluetooth also (for your mobile devices), but not all do.

Pros

• Best security option.
• Very easy to use, just plug it in, and you’re done. Some people leave them plugged into their personal computers all the time, but if you go this route, make sure your computer itself has tight security.

Cons

• Not available on all websites.
• May not work with your mobile devices, you would likely have to use a fallback method like the options above for your phone still.

A Note About Recovery Codes

When you set up two-factor authentication, you will usually also see a list of recovery keys. These are codes just like the ones you’d get via text or in your authentication app, but they’re for emergencies. If your device is lost, for example, and you no longer have access to the authenticator app or if your phone number changes, you will still need codes to be able to get in.

The website will give you a list of these recovery codes at the time you turn on 2FA. DO NOT LOSE THOSE CODES. I personally keep mine in my password manager (we haven’t talked about those yet, but I’m sure we will) as secure notes, but it’s ok to store them locally on your computer as well or just write them down in a notebook. Whatever you do — keep them, and keep them safe.

Push Notifications to Approve or Deny

Some companies use a different kind of 2FA where you will get a push notification on your phone when you log in that asks you to approve or deny a login attempt. I’ve seen this most often with DuoMobile (another authenticator app), usually in enterprise settings (big companies/universities/etc.).

Sometimes you’ll see these from Google or Apple also, where you might have to go to another of your devices to either retrieve a code or approve a login. It’s just another form of secondary security beyond simply using a username/password combination to access your account. You should never approve a login attempt that you didn’t explicitly request!

How do I turn on 2FA?

This depends on the site, but generally speaking, it will be an option in either your settings, your account area, or your profile, and it will typically be under “Password” or “Security” type headings). Not every website offers this function, but MANY do, and I ALWAYS recommend turning it on, especially for those accounts that could compromise the REST of your accounts, like your email!

When you turn on this setting, usually you’ll get either an activation code or a QR code, you’ll enter or scan that in your authenticator app, and the app will immediately start generating codes for that website. Next, you’ll probably see recovery codes. Save those somewhere safe! After that, you’ll be prompted to enter the 6-digit code you see in the authenticator app to ensure you’ve got it set up right, and you’re done!

Password-less Logins

A related topic I want to touch on here is the password-free future the tech world is buzzing about. You may have seen this already in the form of ‘magic links’ or websites where you don’t actually log in with a username and password. Instead, you enter your username/email into the website, and they email you a link, you click it, and you’re signed in. Magic! Importantly, however, don’t click on one of those links if you didn’t request it. These should definitely have 2FA turned on to protect from accidentally logging someone else into your account.

Apple also has been working on ‘passkey’ technology which is part of their recent iOS and macOS releases. Essentially, a passkey is a digital key that’s stored on your device (not readable by anyone, even Apple), which can be used to automatically authenticate you for different websites and apps using your biometric data (like Face ID or fingerprint). I could absolutely see this type of tech becoming more widespread considering all the big hitters want to move away from passwords in the future.

Further Reading

A reminder that security is only as useful as the people using it — never click login links in your email that you didn’t request, never accept a login request on your phone that you didn’t initiate, and never send your authentication codes to anyone:

• “Uber was breached to its core, purportedly by an 18-year-old. Here’s what’s known” ArsTechnica

If you want to learn more about a password-free future:

• “Apple, Google, Microsoft Move Closer to a Password-free Future” InformationWeek
• “Apple’s password-free future is almost here” TechAdvisor