2FA or Not 2FA... There is No Question
February 25, 2021•1,110 words
#100Days (Day 6/100)
Two-Factor Authentication. That's what 2FA stands for in case you were wondering. Some may refer to it as Multi-factor authentication (MFA), but it's really just a component of that. If you're not using 2FA, you are wrong. Sorry, that's just a fact. Let's get into it...
In laymen terms, 2FA is a digital authentication method in which a user is granted access to a computer, website, or application only after successfully presenting two or more pieces of "evidence" (or factors). This is typically something the user knows, such as a username & password or PIN, and something the user has such as a security token, a phone, USB stick, key, etc.
If you are not currently using 2FA for all systems and services that offer it, you are leaving yourself exposed to hackers and other digital attackers. Passwords are no longer enough by themselves. Even complex passwords won't stop a determined hacker.
I certainly hope you aren't using passwords like '2020sucked" or "qwerty". A novice hacker can thwart those in about 2.3 seconds. According to security experts, some of the most common passwords used are "Password" and "123456". I'm not even kidding. If you have passwords like that, and you're not using 2FA, you are begging to be hacked. It's just a matter of time.
Don't misunderstand me... Even with 2FA, please do NOT use passwords like that!
I urge everyone to use strong passwords as well as 2FA. And where 2FA is not offered, you better be using an extremely strong password. That means a minimum of 14-16 positions long, with upper case, lower case, numbers and special characters. Then ask yourself why you are doing business with a company that doesn't offer 2FA. 🤔 Unsure about your password strength? Check it here or here.
So how does this 2FA thing work anyway?
Let's go with a basic example... Your bank. Hopefully they offer 2FA for your account, but they do it via SMS text messaging to your phone. Assuming it's already enabled, you go to the bank website and click Login. You enter your username and password, and click Next. The bank then sends a text message to your mobile phone with a random 6-digit number and waits for you to enter it on their website. If you enter the correct number, you're in.
So a hacker attempting to break into your online bank account would need your username, password, AND your mobile phone in order to retrieve the random 6-digit code sent by the bank. They might be able to get your username & password as part of a data breach or brute force attack, but it's not very likely they will also have access to your phone.
Or is it?
My SMS text message example is a bad one. Using SMS for 2FA is the least secure method of 2FA. Why? Because mobile phone numbers can easily be stolen, or copied, through a hack called a SIM swap. Google it.
A stronger 2FA method is to use something called an Authenticator app. This is an application typically installed on your mobile device or computer. When you enable 2FA on one of your accounts, if an authenticator is offered as an option, you will go through steps to register your account with your authenticator app of choice. Often, this is as simple as scanning a QR code with the camera on your phone. Then you will be asked to enter the next 6-digit code generated by your authenticator app into your account settings. If everything matches up, you now have 2FA enabled on your account. The next time you login to your account, you'll be asked to enter the random 6-digit code currently displayed on your app. Typically the number changes every 60 seconds.
Be careful when setting up 2FA and carefully read the instructions. If you do something wrong and lock yourself out of your account, it can be difficult (and sometimes impossible) to get back in!
There are many authenticator applications out there. Some are free, some cost money or are built into other apps such as password managers. One very popular option you've probably seen mentioned is Google Authenticator. Unfortunately, I would not recommend you use this one anymore. Although Google was a pioneer in this space, the development of their authenticator app has fallen behind in features and functionality, and it is no longer considered a safe choice.
My recommendation is to always look for open source software, so I recommend any of the following authenticator apps:
- Bitwarden - which also happens to be the best password manager available (IMHO)
- I'll be writing an article soon about my love for Bitwarden!
- Aegis Authenticator
- Standard Notes (with their TokenVault extension)
- andOTP (Android only)
Personally, I use Bitwarden, and Standard Notes. There is method (and necessity) to my madness. I may write a future post on my setup and why I use multiple 2FA methods.
I realize this article is just scratching the surface regarding online digital security and 2FA. There are many more methods of Multi-factor authentication that are much more secure. Some even involve location data, voice pattern recognition, and other forms of bio-metrics. But with each layer of security added, complexity increases and convenience decreases dramatically.
My fear is, once quantum computers become mainstream, our whole world changes. Passwords and multi-factor authentication, as we know it today, will become a thing of the past. Quantum computers will be able to do in seconds, what would normally take experienced hackers days, weeks, months, or even years to accomplish. I'm not sure what our digital lives will look like then, but it will be vastly different. Who knows, we may end up having to prove our identities using DNA.
In the meantime, please consider enabling 2FA on all your accounts that offer it. If you're unsure, check your account security settings, search the online help, or ask customer support. Generally, most banks and other financial institutions now offer it. But it's also widely available across all major online services. Here are just a few that come to mind:
- Cash App
- Standard Notes
- Every password manager worth using
- Any many more...
For a much deeper dive on 2FA, check out this Two Factor Auth handbook from BrainStation.
BONUS: How Big is Your Haystack? - This is a very interesting read with a neat trick to make your passwords incredibly strong while also being easier to remember. 🤓