If you find passwords annoying, you might not like two-factor authentication much. But security experts say it\u2019s one of the best ways to protect your online accounts.<\/p>\n\n\n\n
Simply put, two-factor authentication adds a second step in your usual log-in process. Once you enter your username and password, you\u2019ll be prompted to enter a code sent as a text message or an email, or sometimes as a push notification on your phone.<\/p>\n\n\n\n
In all, it usually only adds a few extra seconds to your day.<\/p>\n\n\n\n
Two-factor authentication (sometimes called \u201ctwo-step verification\u201d) combines something you know \u2014 your username and password, with something you have \u2014 such as your phone or a physical security key, or even something you are \u2014 like your fingerprint or another biometric, as a way of confirming that a person is authorized to log in. You might not have thought much about it, but you do this more than you think. Whenever you withdraw money from an ATM, you insert your card (something you have) and enter your PIN (something you know) \u2014 which tells the bank that it\u2019s you. Even when you use your bank card on the internet, often you still need something that you know \u2014 such as your ZIP or postal code.<\/p>\n\n\n\n
Having a second step of authentication makes it so much more difficult for a hacker or a thief to break into your online accounts.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Gone are the days where your trusty password can protect you. Even if you have a unique password for every website you use, there\u2019s little in the way to stop malware on your computer (or even on the website!) from scraping your password and using it again. Or, if someone sees you type in your password, they can memorize it and log in as you.<\/p>\n\n\n\n
Don\u2019t think it\u2019ll happen to you? So-called \u201ccredential stuffing\u201d or brute-force attacks can make it easy for hackers to break in and hijack people\u2019s online accounts in bulk. That happens all the time. Dunkin\u2019 Donuts<\/a>, Warby Parker<\/a>, GitHub<\/a>, AdGuard<\/a>, the State Department<\/a> \u2014 and even Apple iCloud<\/a> accounts have all fallen victim to credential-stuffing attacks in recent years. Only two-factor accounts are protected from these automated log-in attacks.<\/p>\n\n\n\n Two-factor also protects you against phishing emails. If someone sends you a dodgy email that tries to trick you into logging in with your Google or Facebook username and password to a fake site, for example, two-factor can still protect you. Only the legitimate site will send you a working two-factor code.<\/p>\n\n\n\n Enabling two-factor is a good start, but it\u2019s not a panacea. As much as it can prevent hackers from logging in as you, it doesn\u2019t mean that your data stored on the server is protected from hackers breaching a server elsewhere, or a government demanding that the company turns over your data.<\/p>\n\n\n\n And some methods of two-factor are better than others. As you\u2019ll see.<\/p>\n\n\n\n <\/p>\n\n\n\n Let\u2019s get something out of the way real quick. Even if you want to go all-out and secure your accounts, you\u2019ll quickly realize many sites and services just don\u2019t support two-factor. You should tell them to! You can see if a website supports two-factor here<\/a>.<\/p>\n\n\n\n But as credential-stuffing attacks rise and data breaches have become a regular occurrence, many sites and services are doing everything they can to protect their users.<\/p>\n\n\n\n There are four main types of two-factor authentication, ranked in order of effectiveness:<\/p>\n\n\n\n A text message code:<\/strong> The most common form of two-factor is a code sent by SMS. It doesn\u2019t require an app or even a smartphone, just a single bar of cell service. It\u2019s very easy to get started. But two-factor by text message is the least secure method. These days, hackers can easily exploit weaknesses in the phone networks to steal SMS two-factor codes<\/a>. Because SMS messages aren\u2019t encrypted, they can also just leak<\/a>. More recently, researchers found that this can be done on a massive scale<\/a>. Also, if your phone is lost or stolen, you have a problem. A text message code is better than not using two-factor at all, but there are far more secure options.<\/p>\n\n\n\n An authenticator app code:<\/strong> This works similarly to the text message, except you\u2019ll have to install an app on your smartphone. Any time you log in, you\u2019ll get a code sent to your app. There are many authenticator apps to choose from, like Authy, Duo, and Google Authenticator. The difference here is that they are sent over an HTTPS connection, making it near-impossible for anyone to snoop in and steal the code before you use it. But if you lose your phone or have malware on your phone \u2014 especially Android devices \u2014 those codes can be stolen once they arrive on your device.<\/p>\n\n\n\n A biometric:<\/strong> Smile! You\u2019re on camera. Often, in industrial or enterprise settings, you\u2019ll be asked for your biometrics, such as facial recognition, an iris scan or, more likely, a fingerprint. These usually require specialized hardware (and software) and are less common. A downside is that these technologies can be spoofed \u2014 such as cloning a fingerprint or creating a 3D-printed head<\/a>.<\/p>\n\n\n\n A physical key:<\/strong> Last but not least, a physical key is considered the strongest of all two-factor authentication methods. Google said that it hasn\u2019t had a single confirmed account takeover<\/a> since rolling out security keys to its staff. Security keys are USB sticks that you can keep on your keyring. When you log in to your account, you are prompted to insert the cryptographically unique key into your computer and that\u2019s it. Even if someone steals your password, they can\u2019t log in without that key. And phishing pages won\u2019t work because only the legitimate sites support security keys. These keys are designed to thwart even the smartest and most resourceful attackers, like nation-state hackers.<\/p>\n\n\n\n There are several security keys to choose from: Google has its Advanced Protection Program<\/a> for high-risk users, like politicians and journalists, and its Google Titan key<\/a> for everyone else. But many security experts will say Yubikey is the gold standard of security keys<\/a>. There are a few things to note. Firstly, not many sites support security keys yet, but most of the major companies do \u2014 like Microsoft, Facebook, Google and Twitter. Usually, when you set up a physical key, you can\u2019t revert to a text message code or a biometric. It\u2019s a security key, or nothing. A downside is that you will have to buy two \u2014 one as a backup \u2014 but security keys are inexpensive. Also, if one is stolen, there\u2019s no way to determine your account from the key itself. But, if you lose them both, you might be done for. Even the company that stores your data might not be able to get you back into your account. So, be careful and keep one safe.<\/p>\n\n\n\nThe Best Way to Two-factor Your Accounts<\/h2>\n\n\n\n