For increased security and privacy, we recommend that you use two-factor authentication (2FA) whenever you log into an account on a website. We examine different methods of how to use two-factor authentication.
What is two-factor authentication (2FA)?
More and more websites offer 2FA for logging in to enhance security and privacy. Two- factor authentication refers to using, upon an attempted login, two of the following three categories of techniques for verifying that you are who you claim you are:
something you know (e.g., a user ID and password combination is in widespread use);
something you have (e.g., a code sent to a cell phone that you own);
some inherent characteristic of yours (e.g., a fingerprint, like on an iPhone, or face recognition), is used less on major websites for login authentication.
So for example, today you can opt on many websites where you log into your account, such as a banking or social media site, to require not only your user name and password, but also the entry of a one-usage code (that is valid for, say, 10 minutes) sent to your cell phone via text message or via a special-purpose authentication app (more about that below).
Why use two-factor authentication (2FA)?
While adding another layer of inconvenience in entering your account, we strongly recommend using 2FA, as it greatly improves the security and privacy of your account. That’s because the odds of someone both hacking your user ID and password as well as stealing and breaching your phone are much lower than of hacking your user ID and password alone, particularly if your password management is less than ideal (see a previous blog post about password management best practices).
How to use two-factor authentication
The combination of your user ID and password plus a one-time code that is sent to your phone is currently a common form of 2FA. Many websites offer one or more of the following methods for doing this:
Send a one-usage code via email: A code is emailed as a secondary identification means each time you log in. You then enter the code into a prompting screen. This is not the most prevalent method and is not recommended, as most people and websites do not use secure email services.
Send a one-usage code via phone call: Similarly, a code is dictated by an automated phone call, and you enter the code on the authentication screen of your website. This method is a bit awkward and slow.
Send a one-usage code via text message: Similarly, a one-usage code is sent via text message, and you enter the code. This is a prevalent offering, and much better than no 2FA at all. However, the biggest issue is that text messages sent via phone carriers are not secure, so we recommend that you consider using an authentication app instead (see further below).
Require a hardware key: There are hardware "keys" that plug, for example, into a USB port, and that must be present as part of account login. This method is not as prevalent, since while secure, it has its cons: a hardware key can be lost or not available or compatible with a device you are using away from your home or office.
Use an Authentication App: Authentication apps are growing in popularity as they are more secure than, say, the website sending you a code via phone carrier text message. Typically these apps are downloaded and installed onto your phone, and many sites support the use of multiple leading authentication apps as an option for 2FA. Setup is a one-time task required for each website where you log into each account, but it is easy and quick: On the website, you typically designate which of the list of possible supported authentication apps you are using and register the website to your app by taking a snapshot using your phone of the site’s QR code (a displayed bar code). With this one-time setup behind you, thereafter you use the app on your phone to generate a random code that you enter when you login. The code changes, say, every 30 seconds. We recommend using an authentication app as a secure way to protect your sensitive accounts.
Which authentication app should you consider?
Leading authentication apps are listed and at least cursorily reviewed in the sites below:
Android Authority’s 10 best two-factor authentication apps for Android
TrustRadius’ Authentication Systems
NY Times/Wirecutter’s The Best Two-Factor Authentication App
Apps listed by at least two of the review articles above include:
LastPass (a password manager that also serves as a 2FA app)
Personally, I use Authy, considered by some of the reviews as the best in class, though if you use Google apps or Microsoft apps, you may consider their respective authenticator.
There are some cautions when using authentication apps:
If you lose your phone or it breaks, you can’t access the accounts whose login you have protected by an authentication app until you replace your phone. Some offer a backup, so you can transition smoothly.
When you register an authentication app with a website, some of them offer a handful of reserve codes you can use when your phone is not usable. By all means, save these backup codes somewhere safe in case you lose access to your phone.
Challenge questions are not a substitute for 2FA
Note that if you have set an option in your browser to delete all cookies upon closing the browser or if you delete cookies manually (see prior post, Delete Tracking Cookies), some sites can’t remember if you already answered certain “challenge questions” that you set up upon account registration, such as the city of birth or name of your high school. If a site challenges you for your responses each time you login, think of it as providing another layer of authentication to improve security and privacy. Strictly speaking, such challenge questions do not constitute 2FA because both your password and challenge questions are in the category of “something you know,” and 2FA entails implementing two categories, so we still recommend using one of the 2FA solutions, preferably an authentication app.
Using 2FA vastly improves the odds of preventing someone from breaking into your online account. Implement one of the 2FA methods wherever possible, preferably using a 2FA app on your smartphone.