What is 2FA and why should you use it?
You may have come across articles about recent data breaches for major companies and somewhere in the midst of words were tips for protecting yourself that included turning on ‘2FA’.
That’s a solid tip to be sure, but helps very little if we don’t understand what it is, how to use it, and what type might be the best solution for our needs.
Going from the Wizenary entry above, 2FA, or two-factor authentication (also known as multi-factor or MFA) involves utilizing two different methods for proving you are who you say you are for any particular online account. For instance, to log in to a Google account, not only do I provide my password but Google also sends me a message to my mobile asking me to confirm it’s really me logging in. Easy peasy.
But if we already have a (hopefully) strong and unique password, why should we bother with yet another step to logging in? Well, as technology grows so do the opportunities for criminal innovation and as such a password alone no longer suffices.
As technology grows so do the opportunities for criminal innovation, and as such, a password alone no longer suffices.
Attacks That 2FA helps prevent
There’s a few different innovative methods that cyber criminals employ when just a single password is the only barrier for entry. These include:
-
Brute Force - Essentially, this attack uses trial and error of multiple combinations for passwords until a match is found. I like to think of it as if someone found the janitor's massive ring of keys and goes door to door trying keys until a door opens.
-
Stolen password - Compromised account credentials such as - emails and passwords - are sold on the dark web where others with a penchant for an easy buck purchase the data to use those stolen passwords to ‘try the lock’ for various accounts hoping for an easy entry.
-
Phishing - It can come in many forms but regardless if via email, SMS, or voice, in all methods you receive a message with a link that seems legitimate. This nefarious link will either be loaded with malware or will take you to a site that imitates a legitimate brand asking you to log in. Once you log in, your credentials entered on the fake site are now in possession of the criminal ne’er-do-well.
-
Social engineering - This method typically involves interaction with a live person whether over the phone or via text or email. They establish trust in a back and forth conversation either through spoofing someone in your contact list or establishing themselves as an authority (a rep from the bank or other institution). At some point they get you to click a link (see ‘phishing’ above) to enter credentials or simply ask you for your information outright.
-
Key logging - This method logs a user’s keystrokes meaning whatever is typed is being monitored and recorded. There are actually legal and purposeful uses of such technology when done with the User’s consent for a specific legal purpose. However, as you’ve guessed that is not the purpose from a criminal mind and this type of software can be used to gain access to sensitive passwords and other types of data.
You may be feeling a bit uneasy learning all the potential attacks that are employed to the unsuspecting user - and rightfully so. Rest assured that simply becoming aware already increases your online safety savvy - now let’s increase it further by understanding a little more about 2FA and how it works.
What types of 2FA are there?
There’s actually quite a few different options for choosing your second line of verification. Depending on the website, some will give you a choice of several while others may only offer one or two options to select from. As can be expected, some are more secure than others and when you have the choice, knowing the difference can help you decide. Let’s review what the various 2FA options include:
-
SMS - Getting a code texted to your phone is probably the most common form of 2FA, however, it’s known to be one of the less secure methods for 2FA as it’s relatively easy to spoof a trusted number from a retailer or personal contact. That said, most cybersecurity professionals agree that using SMS for 2FA still beats having nothing in place at all.
-
Email - Getting a code by email is another option commonly provided for 2FA. Some prefer this as it is easy to implement, does not require additional setup nor does it request that the user give over more personally identifiable info (PII) such as a phone number. Email 2FA is good for protecting accounts against brute force attacks and credential stuffing.
The drawback of using email for a second factor as verification is that an attacker needs only to compromise one source to gain access to your verification method (your inbox) and take over your related accounts. However, this can be mitigated to a degree by ensuring your email has a strong, unique password that is not reused for other accounts as well as doing regular security check ups like the ones Google and other email providers feature periodically.
-
Biometrics - Just as the term implies, this method utilizes a person’s unique physical biological traits - such as one’s fingerprint, facial features or voice - to verify your identity as that second factor. While biometric authentication has been around commercially for a couple of decades, its adoption did not take off until it was integrated more with mobile phones, the first reported back in 2011.
While it’s definitely a thing from sci-fi movies of the past, reality is using biometrics is not without its pros and cons.
One definite pro to using biometrics includes its convenience and efficiency, overcoming two of the bigger barriers overall to higher adoption of 2FA.
Cons, however, include that not all devices are equipped with the technology as well as changes to your biological makeup - for instance a wound on a finger or a congested voice - can alter the fingerprint/vocals so that the reader won’t recognize the variants to, well, you!
Also, there are more than one antagonist to the wholesale adoption of biometrics for security. Their concern includes the perspective that while biometrics are unique to an individual, it's not ‘unhackable’ (as nothing truly is) and once an individual’s very personal identity is compromised how does one ever get control of that again? Points to ponder, to be sure.
-
Voice - With the rise of the ‘digital assistant’ with Siri and Alexa and the like, voice activated authentication has been around for quite some time according to Bio-Key.com. The unique identifiers in this case being, of course, one’s own voice print. This type, along with other bio-factor methods, are reportedly preferred due to the ease of adoption and convenience while the above cons still exist.
-
Hardware token - This type of verification requires a physical device that is typically small and may be plugged into your computer, or it may resemble a credit card. The device either contains a display that shows a code which changes every 30-60 seconds or it auto-generates a code when connected or scanned directly and verifies the device.
According to the National Institute of Standards and Technology, this form of verification may be a good idea for key figures in an organization such as senior executives and system administrators.
Given its small size, however, can contribute to it being lost or misplaced easily which is definitely a con, not to mention it is not well-suited for mass deployment for larger organizations as it can get pricey to do so.
-
Software token - Finally, we arrive at the software token which is a program or app that generates a time-based one-time passcode (or TOTP). Essentially, this app generates a unique identifier that changes every 60 seconds. It can be installed on desktop or mobile devices and is pretty much able to work even offline.
The way the app is used is first a user would enter their username and password as usual and then is prompted to enter the unique code generated by the software token. Once the code is confirmed (usually a mere second or two) access to the account is granted and off you go about your task.
A big security plus is the fact that the code is generated on the same device it displays on - meaning no data is transferred from one location to another - thus eliminating opportunity for attackers to intercept and compromise it.
Setting up a software token usually is a simple process that takes less than a couple of minutes. The biggest hurdle is educating oneself to ensure recovery codes are properly set up in case access to your device is lost, whether from device malfunction, loss or theft. Once this step is taken care of, the authenticator method is one of the most recommended and secure options for enabling 2FA for regular users.
Another name for a software token is an authenticator app - and we’ll look at a few more in depth below.
Once this step is taken care of, the authenticator method is one of the most recommended and secure options for enabling 2FA for regular users.
An important point to note for anyone feeling a little apprehensive about how complicated using 2FA is is that in reality once you’ve set it up and used it for the first time, the account usually remembers your device. The 2FA prompt only occurs again whenever a new device is detected that it does not recognize.
So while it may take a little getting used it, the reality is the small effort involved on occasion is well worth it considering the major security boost you give yourself by using it. And if you want a quick start guide to finding where to enable 2FA on some of the more common sites, see the quick guide below!
There’s an (Authenticator) App for that
As mentioned, one of the more secure methods for enabling 2FA for your device for the regular user is via an authenticator app. When you’re looking for which app to use, it’s a good idea to consider if it provides backups, what type of security it has among other considerations. Below is a quick overview of a few authenticator apps available and some of the highlights of each. Let’s get started.
-
Google Authenticator - Ah, Google. The Walmart of the digital plane. This app for 2FA is easy to use and works as advertised. A few cons include single-device support, there is no lock or passcode for the app itself which is less than ideal as it’s the keeper of all your account 2FA, and the fact there is no backup for the app so that if you lose your phone (or it dies on you never to be revived) you better be sure you’ve downloaded and saved the Recovery codes for each account you authenticated with Google Authenticator.
-
Microsoft Authenticator - According to a few reviews Microsoft’s authenticator app is as easy to use and set up as Google’s but one drawback noted on one review site is that it lacks third-party integrations with other apps so it cannot be used as widely across accounts.
-
Authy - Authy is available across OS systems so it’s available for both Android and Apple stores and is easy to set up. A pro for Authy is that it also has a User account so it uses a code to login to it and additionally provides built-in backup and recovery in case you lose access to your primary device with Authy installed. As the author of this article can sorely attest, you don’t want to learn this lesson the hard way with an authenticator app that doesn’t 🙃
-
2FAS - Also allows for sync across devices and works for both iOS and Android and also allows for biometric ID access. An update from Nov 2021 stated they are in the process of developing a
-
DUO - An authenticator app provided by Cisco Secure, it allows for more than one type of verification method and additionally works with smart watches as well as mobile devices. Another plus for larger organizations is that it seems to be scalable for companies with many employees and has other features as well such as geo-locking and works in hybrid environments.
-
Aegis Authenticator - An open source app, Aegis provides extra security with the ability to lock the app through a PIN, password or fingerprint which can give users concerned about all their 2FA ‘keys’ in one location a little more piece of mind. It also allows the ability to import from other authenticator apps if moving devices and provides account backup.
-
LastPass Authenticator - You may recognize the name if you’re familiar with password managers as LastPass is known most commonly as a password manager. However, for businesses it also provides its own 2FA solution to help teams meet compliance requirements while also keep accounts safer. It does not appear the 2FA feature is available for individual, family or teams plans at this time but only for Business plans.
When one considers all the accounts we use on a daily basis, turning on 2FA for all your accounts can seem a bit tedious and time consuming. Keep it simple.
First prioritize those accounts that are most sensitive and start there (for example, your financial institutions and main email accounts and most critical social media). As you get into the habit of utilizing 2FA then add more accounts.
If you’d like a little quick start to get begin securing your accounts, we know some companies make navigating to find where to enable 2FA a bit of a wild goose chase. We did the leg work for you in our guide for some of the more commonly used accounts here to reduce the headache and get you on your way to being more secure!
Finally, it's important to remember that taking precautions like utilizing 2FA or MFA doesn't make you invulnerable - there are methods around MFA - but like buckling up, wearing our helmet and looking both ways before we cross the street, two-factor authentication greatly reduces risk for you to enjoy roaming about the internet as safely as possible while making your valued accounts more difficult to hack.
Ayelet HaShachar Penrod
An enthusiastic security awareness advocate as a result of the past two years connecting with and listening to the many passionate voices in cybersecurity as a marketer in the field - that passion rubbed off. Now I'm excited to bring my own awareness learning and perspective to help further Wizer's mission to make security awareness accessible to the individual, the small business owner, the non-profit, the enterprise organization and, well, every one.