The most important thing to know about two-step authentication (also known as two-factor authentication, or 2FA) is that it exists solely to provide your online accounts with better protection against attack.
The need for 2FA arose because most people do such a bad job of choosing passwords that online fraud and identity theft cases were spiralling out of control. Even with all the publicity about the risks, and even with all the technology available to help people create better passwords, an overwhelming majority of people still use passwords that are ridiculously easy to guess.
The only way to protect people from their own lazy habits is to create a second step of authentication after the password so that even if the password can be guessed, the data the password is protecting won’t be available to the attacker.
Unfortunately, there is no universal standard for two-step authentication, and there are many different methods that could be used. Each of the different authentication methods has strengths and weaknesses, but you won’t always be able to choose a solution that is best for your needs. It’s really up to the website owner, however, this hopefully will change in the years ahead with more choices being offered or a universal standard being implemented. Some of the most common methods are:
- Biometric authentication. This is the strongest method available, but it does require an input device such as a webcam or fingerprint scanner for collection of the biometric data, and that may not always be available in your location. Also, while it’s very difficult, biometric data can still be intercepted and stolen in certain conditions.
- OTP authentication. This involves sending a one time password (OTP) to your mobile device via SMS. This means even if somebody enters the correct account password, they still won’t be able to gain access without also correctly entering the OTP. This is an exceptionally common form of 2FA, and while it is reasonably strong, it does have important weaknesses you need to know about.
The most obvious weakness is that if somebody has physical access to your phone, they also have access to the OTP and can use it to authenticate themselves (this is more of a risk if you’re already logged into your account and the 2FA is being used to verify a financial transaction).
The next one is that if your phone number changes, your mobile device is stolen, or you travel internationally without enabling expensive global roaming for your device, you could find yourself locked out of your own accounts. Often this problem can be fixed easily, but not always. Once again, it depends on the policies of the service provider.
- Token authentication. This is actually a better way of authenticating than OTP authentication, but it is much more rarely offered. With this method of authentication, the 2FA code is generated by an electronic token and displayed on an LCD screen. This token and its code are unique to you and provide strong 2FA protection while still enabling you to travel anywhere you want and change your phone number as much as you want. Of course, if you lose the token you will lose access to your accounts until you can receive a new one. If your service provider has added their brand to your token, you should remove the brand so a thief can not guess what service the token provides access to.
- Email authentication. This is another very common form of authentication. It’s very simple and the only problem with it is that authentication emails can be intercepted and altered. This is alarming because it’s the most common way to authenticate a new account, which means people who have just created an online account can be subjected to phishing attacks and they’re more likely to fall for them in these circumstances.
- Question challenge authentication. It is becoming more rarely used and has some serious problems, particularly if the answer to a question is forgotten. The website asks you to create answers for questions when you first create the account. Later if you enter the correct password and answer all the questions correctly, you are granted access to the account. The big risk with this method is people often answer the questions honestly, and the questions are very easy ones like what town you were born in or the name of your first pet. Anyone who knows you well (or spends enough time going through your trash) could guess the answers. The best thing to do with this type of authentication is to answer the questions with incorrect information that you will easily remember, but would be difficult for somebody else to guess.
- Network/device address authentication. This allows a user to only log in to an account from a specific location and/or device. It’s rarely used except in very special applications such as those requiring military grade security. Some services may notice if you log in from a different location or device to one that you have used previously and will notify you about it, which is fine. What is less fine is those services that will simply lock your account if they notice you’ve changed to a new location or device.
Two-step authentication can be a bit annoying and inconvenient, but not as annoying and inconvenient as having your data or money stolen. The best accounts will allow you to enable or disable 2FA whenever you need to, but some don’t give you the option.
You can further protect yourself by:
- Choosing strong passwords that are difficult to guess and learn how to memorize them.
- Don’t use the same password for different sites.
- Use password management software (and keep an external back up of your password database).
- Remember to temporarily deactivate OTP 2FA when necessary. If you are travelling, 2FA can cause a lot of trouble for you if you need to access an account that would be blocked if the 2FA was active. You should reactivate it as soon as possible, but first, make sure you don’t lose your access.
Don’t ever assume you’re completely safe, whatever method of security you rely on. All security methods are vulnerable, it is just that some are more vulnerable than others. If somebody can get access to your primary email account, they probably can gain access to all your other accounts as well.
Used correctly, 2FA can save you from a lot of trouble. We recommend using it when it’s available and you have data that needs to be kept safe. Do be smart about how you apply it, however, and don’t fall into the trap of thinking that you can get away with weak passwords just because you have 2FA enabled.