How two-factor authentication can protect you from account hacks

If you find passwords frustrating, two-factor authentication probably won’t get much love. But security experts say using two-factor authentication is one of the best ways to protect your online accounts from even the most sophisticated hackers.

Two-factor authentication adds another factor of authentication to your usual log-in process on top of your password, hence the name. Once you enter your username and password, you’ll be prompted to enter a code sent as a text message or an email, or sometimes as a push notification on your phone.

In all, it usually only adds a few extra seconds to your day, if that.

Two-factor authentication (sometimes called “two-step verification”) combines something you know, such as your username and password — with something you own, such as your phone or a physical security key, or even something you have — like your fingerprint or another biometric, as a way of confirming that a person is authorized to log in.

You might not have thought much about it, but you do this more than you might realize. Whenever you withdraw cash from an ATM, you insert your card (something you have) and enter your PIN (something you know) — which tells the bank that it’s you. Even when you use your bank card on the internet, often you still need something that you know — such as your ZIP or postal code.

Simply put, having a second step of authentication makes it so much more difficult for a hacker or a thief to break into your online accounts.

Why is two-factor authentication important?

Gone are the days where your trusty password can protect you. Even if you have a unique password for every website you use, there’s little in the way to stop malware on your computer (or even on the website!) from scraping your password and using it again. Or, if someone sees you type in your password, they can memorize it and log in as you.

Don’t think it’ll happen to you? So-called “credential stuffing,” “password spraying”, or brute-force attacks can make it easy for hackers to break in and hijack people’s online accounts in bulk. That happens all the time. Cell networks, retail giants, grocery delivery services, music streaming sites, and even tech giants like Cisco and Apple’s iCloud service aren’t immune.

Only accounts with two-factor authentication are protected from these automated log-in attacks.

Two-factor also protects you against phishing emails. If someone sends you a suspicious-looking email that tries to trick you into logging in with your Google or Facebook username and password to a fake site, for example, two-factor can still protect you. Only the legitimate site will send you a working two-factor code.

A three-step illustration of how two-factor authentication works, from entering your account password to receiving and entering a code sent to your phone.

A three-step illustration of how two-factor authentication works, from entering your account password to receiving and entering a code sent to your phone. Image: Getty Images

Enabling two-factor is a good start, but it’s not a panacea. As much as it can prevent hackers from logging in as you, it doesn’t mean that your data stored on the company’s server is protected from hackers breaching a server elsewhere, or a government demanding that the company turns over your data.

And some methods of two-factor are better than others. As you’ll see.

The best way to two-factor your accounts

Even if you want to secure all of your accounts, you may find some sites and services don’t support two-factor. But as credential-stuffing attacks rise and data breaches have become a regular occurrence, many sites and services are doing everything they can to protect their users.

There are four main types of two-factor authentication, ranked in order of effectiveness:

1. A text message code:

The most common form of two-factor is a code sent by SMS. It doesn’t require an app or even a smartphone, but cell service is required. It’s easy to use and set-up, but two-factor by text message is the least secure method. Hackers can easily exploit weaknesses in the phone networks to steal SMS two-factor codes. Because SMS messages aren’t encrypted, text messages are also prone to leaking. Plus, if your phone is lost or stolen, an attacker could request a two-factor code and access your accounts. A text message code is far, far better than not using two-factor at all, but there are far more secure options.

2. An authenticator app:

This works similarly to the text message, except you’ll have to install an app on your smartphone. Anytime you need a two-factor code, you can get one from your app. Authenticator apps even work offline and don’t require a cell or internet connection. There are many authenticator apps to choose from, like Authy, Duo, and Google Authenticator. The difference here is that they are sent over an encrypted connection, making it nearly-impossible for anyone to steal your two-factor code before you use it. If you use iOS 15 or later, you already have a two-factor authenticator built-in to your iPhone.

3. Using biometrics:

Using your face, eye, or fingerprint is a common way to unlock your devices, but it’s also increasingly used as a method for websites to check that you are who you say you are. Often these biometric-based two-factor options are built into your device, such as your computer or phone, to scan your face or fingerprint.

4. A physical security key:

Last but not least, a physical security key is considered the strongest of all two-factor authentication methods. Security keys often look like USB stick-sized devices that are small enough to fit on a keyring. You may not even need one since newer Android devices and iPhones have the hardware feature built-in. These security keys contain unique cryptographic code that tells a website or a service that it’s you logging in. After entering your password, you are prompted to insert the security key into your device. And that’s it! Even if someone steals your password, they can’t log in without that key. And phishing pages won’t work because only the legitimate sites support security keys. These keys are designed to thwart even the smartest and most resourceful attackers, like nation-state hackers. Google’s own data shows it hasn’t had a single confirmed account breach since rolling out security keys to its staff.

There are several security keys to choose from: Google has its Advanced Protection Program for high-risk users, like politicians and journalists, and its Google Titan key for everyone else. But many security experts will say Yubikeys are the gold standard of security keys.

There are a few things to note, though. Not all sites support security keys yet, but most of the major companies do — like Microsoft, Facebook, Google, and Twitter. Once you set up a physical key, this will often become the only way to log-in — you likely won’t be able to revert to a lesser-secure way of logging in, like a fingerprint or a two-factor code. You may also need to buy two security keys, with one stored in a safe place as a backup. Also, if one is stolen, there’s no way to determine your account from the key itself. But, if you lose them both, you might be done for. Even the company that stores your data might not be able to get you back into your account. That’s why it’s important to save any backup codes you might be given in your password manager in the event of account lock-outs.

If after all this your favorite site or service still doesn’t use two-factor authentication, you should tell them! If it’s a site or service that you cannot avoid, consider using a very long, unique password that is not used anywhere else. This reduces, though does not eliminate, the risk of someone compromising your accounts unless they breach the site or service itself.

That’s what you need to know. You might want to create a checklist of your most valuable accounts, and begin switching on two-factor authentication starting with them. In most cases, it’s fairly straightforward. You might want to take an hour or so to go through all of your accounts — so put on a pot of coffee and get started.

You should see two-factor as an investment in security: a little of your time today, to save you from a whole world of trouble tomorrow.

Cybersecurity 101 - TechCrunch