One way out of this sitch is to enable 2FA (two-factor authentication) on all your accounts to strengthen their security. That way, even if your password gets leaked/hacked, your account still won’t be accessible until it’s validated by the second factor (2FA verification token). But as it turns out, a lot of people don’t seem to be leveraging 2FA or are oblivious of its existence. So to make things simpler, here’s a guide on two-factor authentication with answers to some of the most common questions around 2FA.
What Is Two-Factor Authentication (2FA)?
Two-factor authentication or 2FA is a type of multi-factor authentication (MFA) mechanism that adds an extra layer of security to your account—a second factor, in the case of 2FA—to authenticate your logins. Ideally, when you log in to an account using your username and password, the password serves as your first authentication factor. And it’s only after the service verifies the entered password to be correct that it lets you access your account. One of the problems with this approach is that it isn’t the most secure: if someone gets hold of your account password, they can easily log in and use your account. This is precisely where the need for a second factor comes into play. A second factor, which can be set up in a few different ways, adds an additional layer of authentication to your account at the time of log in. With it enabled, when you enter the correct password for your account, you’re required to enter the verification code, valid for a limited time period, to verify your identity. Upon successful verification, you’re granted access to the account. Depending on the service implementing the mechanism, 2FA can sometimes also be addressed as two-step verification (2SV), like in the case of Google. However, besides the name difference, the working tenet behind both remains the same.
How Does Two-Factor Authentication (2FA) Work?
As mentioned in the previous section, two-factor authentication involves the use of a second factor (in addition to the first factor: password) to complete an identity check at the time of log in. To accomplish this, apps and services implementing 2FA require at least two of the following factors (or pieces of evidence) to be verified by the end-user before they can log in and start using a service: i. Knowledge – something that you know ii. Possession – something that you have iii. Inherence – something that you are To give you a better idea of what constitutes these different factors, in most scenarios, the Knowledge factor can be, say, your account password or PIN, whereas the Possession factor can include something like a USB security key or authenticator fob, and the Inherence factor can be your biometrics: fingerprint, retina, etc. Once you have 2FA set up and running on any of your accounts, you’re required to enter either of the two verification factors, between Possession and Inherence, in addition to the Knowledge factor, to verify your identity on the service at the time of log in. Then, depending on what it is that you want to protect and the service you’re using, you get two options to pick your preferred second authentication mechanism. You can either use Possession: any physical security key or a code generator app on your smartphone, which provides you with a one-time-use token that you can use to verify your identity. Or you can rely on Inherence: facial verification and the likes, as provided by some of the services these days, as a second security verification factor for your account.
Is Two-Factor Authentication Foolproof? Are There Any Disadvantages to Using 2FA?
Now that you have an understanding of what two-factor authentication is and how it works, let’s take a closer look at its implementation and the disadvantages (if any) of using it on your account. To begin, while the consensus around using two-factor authentication among most experts is by and large positive and provokes people into enabling 2FA on their accounts, there are certainly a few shortcomings with the mechanism’s implementation that prevent it from being a foolproof solution. These shortcomings (or rather vulnerabilities) are mostly a result of bad 2FA implementation by the services using them, which can, in itself, be flawed on various levels. To give you an idea of a weak (read ineffective) 2FA implementation, consider a scenario where you have 2FA enabled on your account using your mobile number. In this setup, the service sends you an OTP over SMS that you’re required to use to verify your identity. However, since the second factor is sent over the carrier in this situation, it’s subject to various kinds of attacks, and therefore, isn’t secure in itself. As a result, such an implementation can not be as effective as it should be at protecting your account. Besides the above scenario, there are several other situations where 2FA could be vulnerable to all sorts of attacks. Some of these situations include instances where a website/app incorporating the mechanism: has a skewed implementation for token verification; lacks a rate limit that can allow someone to brute-force their way into the account; allows the same OTP to be sent over-and-over; relies on improper access control for backup codes, among others. All of these can lead to vulnerabilities that can allow someone—with the right knowledge and skillset—to find their way around the poorly implemented 2FA mechanism and get access to the targeted account. Similarly, another scenario where 2FA can be problematic is when you use it negligently. For instance, if you have two-factor authentication enabled on an account using a code-generator app and decide to switch to a new device but forget to move the authenticator app to the new phone, you can be locked out of your account completely. And in turn, you might end up in a situation where it can be hard to recover access to such accounts. One more situation where 2FA can sometimes hurt you is when you use SMS to get your 2FA token. In this case, if you’re traveling and move to a place with poor connectivity, you might end up not receiving the one-time-use token via SMS, which can render your account inaccessible temporarily. Not to mention, you change carriers and still have the old mobile number linked to different accounts for 2FA. However, with all that said, there’s one crucial factor at play here, which is that, since most of us are average internet users and don’t use our accounts for questionable use-cases, it’s not very likely for a hacker to target our accounts as potential attacks. One of the obvious reasons for this is that an account of an average user is not bait-y enough and doesn’t offer much to gain for someone to spend their time and energy carrying out an attack. In such a scenario, you end up getting the best out of 2FA security rather than coming across some of its extreme disadvantages, as stated earlier. In short, the advantages of 2FA outweigh the disadvantages for a majority of users—granted you’re using it carefully.
Why Should You Use Two-Factor Authentication (2FA)?
As we sign up for more and more services online, we are, in some way, increasing the odds of getting our accounts compromised. Unless, of course, there are security checks in place to ensure the security of these accounts and keep threats at bay. Over the past few years, data breaches of some of the popular services (with huge user base) have leaked tonnes of user credentials (email addresses and passwords) online, which has put the security of millions of users worldwide at risk, enabling a hacker (or any person with the know-how) to use the leaked credentials to access these accounts. While that itself is a big concern, things get worse when these accounts do not have two-factor authentication in place, as that makes the whole process straightforward and unsophisticated for a hacker. Thus, allowing for an easy takeover.
However, if you employ two-factor authentication on your account, you end up with an extra layer of security, which is difficult to bypass since it uses the Possession factor (something only you have)—an OTP or app/fob-generated token—to verify your identity. As a matter of fact, accounts that require an extra step to get into are usually not the ones on the radar of attackers (especially in large-scale attacks), and are, therefore, comparatively more secure than the ones not employing 2FA. That said, there’s no denying the fact that two-factor authentication does add an extra step at the time of log in. However, the security and peace of mind you get in return is unarguably worth the hassle. The scenario mentioned above is just one of the many different instances where having 2FA enabled on your account can prove to be beneficial. But having said that, it’s worth mentioning again that, even though 2FA adds to your account’s security, it isn’t a foolproof solution either, and therefore needs to be implemented correctly by the service; not to mention proper setup at the user’s end, which should be done carefully (taking a backup of all the recovery codes) to make the service work in your favor.
How to Implement Two-Factor Authentication (2FA)?
Depending on the account you want to secure with two-factor authentication, you have to follow a set of steps to enable 2FA on your account. Be it some of the popular social networking websites like Twitter, Facebook, and Instagram; messaging services like WhatsApp; or even your email account; these services do offer the ability to enable 2FA to improve your account security.
In our opinion, although using strong and unique passwords for all your different accounts is rudimentary, you shouldn’t ignore two-factor authentication but rather take advantage of it if a service provides the functionality—especially for your Google account, which is linked to most of your other accounts as a recovery option. Talking about the best method to enable two-factor authentication, one of the most secure ways is to use a hardware key that generates code at fixed intervals. However, for an average user, code-generator apps from the likes of Google, LastPass, and Authy, should work perfectly fine too. Moreover, these days, you get certain password managers that offer both a vault and a token generator, which makes it even more convenient for some. While most services require a similar set of steps to enable two-factor authentication, you can check out our guide on how to enable 2FA on your Google account and other social media websites to find out how to properly set up two-factor authentication security on your account. And while you do that, make sure you have a copy of all the backup codes so that you don’t get locked out of your account in case you don’t receive tokens or lose access to the token generator.