Many people have heard of 2FA (Two-Factor Authentication); some may have used it before. However, this article is for those who don’t use 2FA—and why you should.
Far too often people have their accounts compromised due to insufficient passwords (or using the same passwords across multiple accounts/devices). While this practice is definitely not a good idea, it is my intention to ensure that our readers accounts are secure, regardless of the password methodology used.
Why should I use 2FA?
Before getting into 2FA itself, I want to provide basic reasoning on why you should use it. Perhaps the best example of when 2FA could have stopped a system from being compromised comes from one of the biggest financial companies in the world. In August 2014, J.P. Morgan Chase had a server compromised. The act provided access to 90+ other company servers and multiple gigabytes of checking and savings account data. The entry point was simple: a single username and password compromised by a malware on an employee’s system. Most of J.P. Morgan’s servers already used 2FA but for an unknown reason, the server used for entry didn’t have this enabled.
Another example from my own experience is far less major but could have been avoided. An open source project I was involved with had a repo on GitHub which was deleted in an attack. Someone had targeted one of the project admins who didn’t have 2FA enabled—they simply got ahold of the password, being that the username was already available on GitHub through the users profile.
What is 2 Factor Authentication?
Now that we’ve been over some reasons for why 2FA should be used, let’s understand what it really is. In concept, 2FA is actually quite simple. A user’s mobile phone number is linked to their account, and anytime they log in from a device that doesn’t have a cookie stored for trusting the device, they’re prompted for a security code. This code is either sent to the mobile phone via a text message or accessed through an app on their phone, designed to generate these codes. In this way even if a user’s password is compromised, someone still needs their phone to access their account.
Downfalls of 2FA
Pretty simple, right? The biggest downfall of 2FA is that if you lose your phone you can’t access your accounts without it (potentially locking a user out of an account permanently). Thankfully, there’s a simple solution for this as well. Whenever you setup 2FA on an account (say Google, Dropbox, or anyone else) they provide a list with several override codes for 2FA. These codes can be used at anytime to gain access to your account—without having your phone. Simply put, if you enable 2FA, always make sure to print off the override codes and store them in a safe, secure place. Don’t just save them somewhere on your machine as that can be compromised or lost in a data failure. Personally, I’m fond of fireproof lock boxes or safes. That way, you know where they are and they have a lower chance of being compromised or damaged.
A few sites that provide 2FA don’t allow the use of applications to generate the auth codes. Instead they restrict you to using SMS. For the sites that do allow you to use an application, I recommend that you do so. The Authy app is my personal favorite and can be set to work on a tablet if you don’t want to use your cell phone; it’s free and easy to use with a large number of accounts. Google, Microsoft and LastPass all provide similar apps, which can be used for the same purpose. I found Authy to be more friendly than Google’s or LastPass’ apps, but I have not used Microsoft’s app. Whichever app you decide to use, you can rest soundly knowing that your accounts cannot be accessed just by gaining your password.
Do you use 2FA or have a horror story about an account being compromised because you weren’t using 2FA? Let us know in the comments!