2FA — The Second Key To Your Accounts
2FA — also known as two-factor authentication or multi-factor authentication — is like an extra key to your account.
I’m sure that your password is super secure; you don’t reuse it anywhere, you always remember it, and you definitely don’t leave it on a sticky note or in a little book next to your computer. User credentials are not secure.
If you’ve never done it, take a minute to type your email into haveibeenpwned.com. My primary email has been involved in three different data breaches, some of which involved email addresses, geographic locations, names, passwords, and usernames all being released into the digital aether.
Two-factor authentication means that I have one less thing to worry about: my accounts have an extra key on them, and it’s still easy for me to log in when I need to.
There are three different ways that 2FA works: with a phone number, an app, or a hardware key — a USB key that you physically put into your computer. Each has a different level of security: phone number/text messages are least secure (but still MUCH better than nothing), apps are better, and physical keys are best.
Option 1: A physical USB or Bluetooth keyfob becomes your second key.
This is the most secure option, because there’s no digital way to steal the key. The downside to this is that the keys themselves cost between $25~$200. Professionals suggest that you get two of them, to use one as a spare. That can get spendy quick.
Option 2: An app on your phone becomes the second key.
When you set up 2FA using an app, you download the app on your phone (the most popular one is Google Authenticator, but there are others). When you sign up for 2FA on a website, the site displays a QR code that the app scans, which adds the site into the app. Every 60 seconds the app creates a different code that the website will be able to use to verify your identity. If your phone gets lost, hacked, or stolen this can be a problem, but you can easily change phones by using the Google 2-step verification page.
Option 3: Your phone number becomes the second key.
When you set up 2FA with a phone number you give your number to the site you’re using. When you go to log in, you enter your username and password, and then the site texts or calls you with a secret, one-time-use code. You enter the code on the next page, and away you go. The problem with this system is that there have been known accounts that have been hacked because the hacker called and had the correct phone number transferred to a different mobile device, or spoofed cell towers. This is a very rare occasion, but since it has happened phone-number based authentication is considered less secure.
How to set up 2FA on your accounts.
This takes a bit of time, but it’s worth it. Consider it some good, healthy “digital spring cleaning”. Even if it feels like it’s not worth it because you’ve had bad digital habits in the past, putting in the work now means that you’ll be more secure from here on out. It’s worth it. If you wait to create good habits until you realize you’re being taken advantage of, it’s too late.
Step 1: Download an Authenticator App on your phone.
Step 2: Find out what accounts you have.
I have over 450 account credentials saved in my password manager. Not all of them are to services that offer 2FA. If you don’t use a password manager, you can find out what passwords your browser has saved by typing “chrome://settings/passwords” in Chrome or Brave, “about:logins” in Firefox, or going to Menu > Settings > Passwords and autofill in Microsoft Edge. (Though, Microsoft Edge was just rated least-secure browser by a study, so now is a good time to switch to Brave, the browser that was rated most-secure by the same study.)
Step 3: Go to TwoFactorAuth.org
Once you see the list of sites you have accounts with, open up this page in another tab. This is a website whose sole purpose is to collect information on whether or not an online service offers 2FA.
Step 4: Start at the top of the list.
Enter the name of the website into TwoFactorAuth’s search bar. The entry will be highlighed light green if it offers 2FA, and red if it doesn’t. If the site doesn’t offer 2FA, write it down in a note that you can set a reminder for in 6 months, or consider deleting your information and account from the site if it’s one that you don’t ever use.
When you click the link on TwoFactorAuth.org it will take you to the homepage of the website (for security reasons). You’ll need to find the profile, settings, or password/security area of each site to set up 2FA.
Make sure to use the three options in order of security: physical key, app, then phone number. (If you haven’t purchased a physical key yet, no sweat. You can, obviously, skip the first option for now.)
Since you’ll be at this for a while, pull of some tunes. I’ve really been enjoying Old Bear Mountain lately. I always enjoy Old Bear Mountain.
Multi-factor authentication doesn’t guarantee that you are 100% hack-proof. It just makes it much, much more difficult for hackers to gain access to your accounts. There are only a few other ways to secure your account that work as well as 2FA, and they’re not as easy to implement.
If you already have Brave, head on over to my website and tip me a few BAT. Thanks!
Right now the world is under quarantine because of COVID-19. Make your time at home matter in the long run. I’ll do my best to publish a privacy how-to every day for the next few weeks. Follow me here on Medium, follow my Facebook page, or send me a message and tell me to start a newsletter.