You should use two-factor authentication on every account that offers it. Here's an explainer of what it is, and why you want it.
Update, April 2017: In light of the recent round of celebrity phone hacks, we have refreshed this page with the most relevant information.
You see a lot of talk on the internet about two-factor authentication (or 2FA as it's commonly called) but most times its just people like us telling you to use it. And we'll continue that trend and start this bit of prose by telling you to use 2FA whenever and wherever you can. But we're also going to let you know what it is, and why it's important that you use it. Read on.
What is two-factor authentication?
To put it in simple terms, 2FA means that you need to present two different things from two different sources that prove who you are. Generally, there are three different types of ID that can be used for 2FA purposes when it comes to online accounts:
- A thing that only you should know. Things like a password, a PIN, an account number, your street address or even the last four digits of your Social Security number fit the bill here.
- A thing that you can hold in your hands. This means your phone, an authenticator fob like this one or a USB security key.
- A thing that is part of you like your fingerprint, retina pattern or voice pattern.
When you have 2FA enabled on an account, you need two of these three things to get access.
You've been using 2FA for most of your adult life. The companies who process credit card payments for online retailers usually force you to enter the three-digit code on the back of your credit card as well as the card number, then provide the billing address. The numbers on the card (both front and back) are a way to make sure you have the card in your possession for the first method of authentication, then the address you provide has to match what the card issuer has on file as a second way to prove who you are. That's 2FA. Back when the world still used checks to pay for things, most businesses wanted two forms of physical ID from a well-recognized place like your state DMV or your school as a way to make sure you are the person whose name is on the top of the check. That's also 2FA. And to get those IDs usually requires multiple things from different places to prove who you are.
You've been using 2FA all along and probably didn't realize it.
Using 2FA for your online accounts is a little bit different, but still uses the same principle — if you can provide more than one method to prove who you are, you probably really are who you claim to be. For an account somewhere like Google, or Facebook or Amazon you need to supply a password. Your password is something only you should know, but sometimes other people can get hold of it. When you add a 2FA requirement — like an authentication token sent to your phone or a USB security key that you plug into your computer — a password is no longer enough to get into your account. Without both pieces of authentication, you're locked out.
Is two-factor authentication secure?
Yes and no. Using 2FA on an account is a lot more secure than not using it, but nothing is really secure. That scary thought aside, using 2FA is usually sufficient protection for your "stuff" unless you're a high-profile target or really unlucky.
Using 2FA is usually sufficient protection for your onlione accounts and services.
On the positive side, if you're using 2FA and some fake phishing email manages to get you to supply your password they still can't log into your account. The way most people use 2FA for online accounts is to have a token sent to an app on their phone and without that token, the email scammer isn't going to have any luck getting access. They will enter your account user name or ID, then the password, and then they need to supply that token to go any further. Unless they have your phone, the work involved in bypassing the second ID requirement is enough to get the bad guy to say "forget it!" and move to someone else.
On the other hand, if you are someone like President Obama or Mick Jagger, it's worth it to try and get into your accounts. And there are ways. The communication between the people supplying the authentication token and your phone are safe for the most part, so attackers go after the website or server asking for the credentials. Auth tokens and cookies can be hijacked by very clever folks, and as soon as one method gets patched they start looking for another. This takes a lot of knowledge and hard work so that means that the end result has to be worth it all. Chances are you and I aren't worth the trouble, so 2FA is a good way to secure our accounts.
How do I use two-factor authentication?
It's easier than you might think!
Setting up 2FA on an account is a three step process. You need to provide your current credentials by typing in your password again (this helps keep someone else from adding it to your account), even if you're currently logged into the service. Then you go into the account settings and enable 2FA on your account. This lets the server that manages your login know that you want to enable it, and they will get everything ready on their end after they ask what type of authentication you will be using — most common are codes sent to your phone as an SMS message or through an authenticator application. Finally, you affirm the change by supplying a token back to the server. If you're using an app this might be a barcode you have to scan or manually entering some information into the app. If you chose to use SMS a code will be sent that you need to enter on the website to finish things up.
The next step happens when you want to log into that account again. You'll enter a username or ID, then a password, and then be asked to supply an authentication number. That number is sent as an SMS if that's how you set things up, or in the app on your phone if you decided to go that route. You type that number into the text field and you have access.
Most services will store an authentication token on your phone or computer, so the next time you want to log in you won't have to supply the code again. But if you want to set up access from another place, you'll need a code.
The process for each service that offers 2FA will be slightly different, but this is a good example of how things will work.
Wrapping it up
Now that you know a little more about 2FA, we hope you're inspired to set it up and use it wherever you can. Most popular services — Google, Facebook, Twitter, Amazon, Steam and more — offer 2FA. It's fairly easy to set up and the peace of mind you'll have makes it well worth it.