What is two-factor authentication, and why do experts say it’s the key to better online security?
Google produces around 35.7 million results to the query “how to tell if my computer has been hacked,” which just goes to show how imperative online security is in the modern age. We’re told we need good passwords, but those are hard to remember, so many of us store a passwords list in our homes or on our computers. Needless to say, this isn’t particularly safe, especially in the age of spyware. Which is why the most important thing you can google might just be “what is two-factor authentication?”
Think of two-factor authentication as an extra lock on a door that guards your passwords. It takes an extra step to unlock the door, but it also makes it harder for the bad guys to sneak in. Using two-factor authentication is a step toward securing your online identity and data, and it’s a way to avoid digital attacks like doxxing. It also helps thwart phishing attacks.
In other words, if you know what two-factor authentication is, you may be able to avoid experiencing serious cybersecurity threats firsthand. And while everyone ought to use this security tool, it’s especially crucial for anyone using public Wi-Fi and iCloud. At the end of the day, it’s much easier to protect yourself from hackers than it is to recover a hacked Facebook account or hacked Instagram account. So let’s dive in.
What is two-factor authentication?
Two-factor authentication—often referred to as two-step authentication and 2FA—is a method for keeping your data safe online by adding an extra step (or more) to the log-in process. It does this by providing an extra layer of security beyond the standard username and password, which are typically fairly easy for bad actors to obtain or guess.
“The problem with passwords is they’re usually very weak, or people use the same ones over and over,” says Tom Gaffney, principal consultant for consumer security at cybersecurity firm F-Secure. “The top ones in the U.K. last year were 12345678, qwerty, password, or some variation thereof. Even a 14-digit alphanumeric password can be hacked in 140 seconds.”
In the event you fall prey to an Apple ID phishing scam, for instance, the hacker might get your password but find a roadblock at the 2FA prompt.
What happens when you have two-factor authentication?
With two-factor authentication, you have a security blanket of sorts. Hackers can do some pretty scary things with just your cell phone number, never mind with more personal information (think usernames and passwords) they might gain access to through data breaches or scams. When you have 2FA set up, you derail their plans.
Two-factor authentication is used by a wide variety of organizations, from workplaces and schools to banks, social media companies, and more. All of them want to make sure you—and only you—have access to your accounts. So they add an extra step.
After you enter your username and password, the website or app will ask for information to verify you are who you say you are. It might prompt you to enter something you know (like a PIN or a password), something you have (like a security code or physical fob), or something you are (like a fingerprint, facial scan, or voice frequency).
What is an example of two-factor authentication?
OK, so we’ve got the theory, but what is two-factor authentication when it’s in action? All 2FA systems use a combination of something we know, have, or are to confirm our identity. Examples of factors that may be used to confirm your identity include:
- A one-time code sent via either SMS or email to your registered accounts. As text messages and emails are fairly easily hacked and intercepted, however, this is one of the weakest forms of two-factor authentication.
- A code generated by an authenticator app (more on this below) or a physical fob.
- A push notification on a second registered device that asks you to confirm or deny the request.
- A FIDO, which stands for “fast ID online.” Considered the safest type of two-factor authentication, the FIDO system uses biometric authentication mechanisms, such as a fingerprint, voice recognition, or facial recognition, to confirm an identity online.
How secure is two-factor authentication?
According to Microsoft, people who use two-factor authentication are 99 percent less likely to get hacked than those who don’t. Given the number of online accounts we all have these days, it’s worryingly common for people to use the same password for multiple or even all of their applications and services. Even some of the world’s biggest companies suffer data breaches from time to time, so if one of your passwords is compromised, the fallout could be huge.
As part of its identity protection service, F-Secure monitors the dark web for stolen data that’s being held and sold. Through its investigations, the company found 1.7 billion compromised usernames, 29 billion emails, 24 billion passwords, and 41 billion bits of other information, such as social security numbers. It’s enough to make you want to disappear completely from the Internet.
This highlights why two-factor authentication is so important, says Gaffney, because unauthorized users would be unable to meet the second security requirement, even if they have your username and password.
“It’s harder for a criminal hacker to learn your password and your second factor of authentication,” says cybersecurity consultant and writer David Geer. “It keeps the criminals out of your sensitive accounts and information such as your personal, financial, and medical records.”
How do I use Google two-factor authentication?
RD.com, Getty Images
Google isn’t known for putting user privacy first. It’s practically impossible to browse the Internet anonymously, and Google is definitely tracking us online. That said, many of our online accounts are under the Google umbrella. You can kill several birds with one stone by setting up two-factor authentication with Google. Here’s how:
- Open your Google account.
- Select “Security” in the navigation panel.
- Under “Signing in to Google,” select “2-step verification.”
- Follow the on-screen steps. (If your Google account is associated with your work or school, you may need to request permission from your administrator.)
- Select your preferred second step.
- If you don’t want to use two-step authentication every time you sign in on a certain device, select “Don’t ask again on this computer” the first time you sign in. (But don’t do this if you share your computer with others.)
Not sure which second step to choose? Google recommends users select Google prompts. With this type of authentication, Google sends a prompt to one of your registered devices, after which you can either allow or deny sign-in.
How do I use two-factor authentication apps?
Two-factor authenticator apps are an alternative to authentication codes sent via text. Just as an online service provider might send a code to your mobile phone via SMS message to verify your identity, this kind of security app generates a one-time password after scanning a key (usually a QR code) from a website. This method is much more secure than a code sent by SMS.
Here’s how to set up two-factor authentication via app:
- Download and install an authenticator app on your phone. There are plenty to choose from in the app stores. Microsoft and Google each have their own, as does password manager LastPass and data security giant Sophos. Other popular products include Hypr and SourceForge, according to Gaffney.
- Go to any online account and look under “Settings” for an option to add two-factor authentication, then choose to add an authenticator app.
- Click “Add Account” in your authenticator app.
- Scan the QR code the website produces with your authenticator app. The app will open your camera; you may have to give permission for this. Simply point your camera in the right direction, and the code will automatically scan.
- If prompted by the website, input the code generated by the app.
Remember, you can lock apps on an iPhone, but protecting your apps with passwords won’t give you the added security that two-factor authentication will. If you’re intent on using a password or Face ID on your apps, double up with 2FA too.
What is multi-factor authentication?
So, now you know the answer to the question “what is two-factor authentication?” But you might still be confused by the term “multi-factor authentication.” Is it the same as two-factor authentication? A step beyond?
Multi-factor authentication is similar to two-factor authentication, but it requires two or more ways to confirm your identity. “It is more secure than 2FA,” says Geer. “It’s necessary for the most sensitive information because the criminals are likely to try much harder to get it.”
- Tom Gaffney, principal consultant for consumer security at F-Secure
- David Geer, cybersecurity consultant and writer