Two-factor authentication (2FA) or multi-factor authentication/verification is an authentication method that allows access to your online accounts only when all the factors (password, PIN code, or physical key) are presented.
Simply put, it is like having 2 keys to 2 locks on the same door, and you need to unlock both locks to open the door.
How does it work?
We all know the standard username and password, but 2FA works by requiring another randomly generated code that only you have, reducing the chance of being hacked in the event of an account breach.
Service providers that offer 2FA generate long alphanumeric codes of at least 20 characters. It is more commonly represented as a QR code that you can scan using an Authenticator app.
The Authenticator app will typically condense this code into 6-digits that refreshes every 30 seconds that you key in as a second step to log into your online account. Note that for different service providers, the length of the code and the interval in which it refreshes might differ.
Therefore, in order to login to your online account, e.g. your Google account, you will need your username, password, and this unique 6-digits.
How does this help?
With the rise in online breaches, leaks and hacks, having a fixed password that have immediate access to your accounts is no longer safe.
2FA helps by having another unique lock and key on your door, that changes every 30 seconds, reducing the probability of the hacker having access to it.
What type of online accounts should I enable 2FA?
I recommend enabling 2FA for all online accounts, as long as the service provider offers 2FA. Most big name service providers, such as Google, Dropbox, and Facebook already offer 2FA, but there are still some services that do not.
Types of 2FA methods
The recommended way to enable 2FA is via an Authenticator app, however some service providers does 2FA via other methods.
1. SMS or Email
Most banks and government services deliver their one-time password (OTP) via SMS because they do not allow us keep the 2FA in an application. It is important to note that SMS delivery can be hijacked, hence it is not a safe channel to deliver 2FA. However, since SMS is the only available channel the organizations offer, it is better to enable this 2FA method than not at all.
Other online services like Amazon also deliver the OTP via email. You need access to your email and will be locked out if your email has been banned or locked. Furthermore, if the hacker has access to your email, he is able to hack into your online data despite you enabling 2FA. Nevertheless, having 2FA set up is better than not having it set up. If the service provider only offers email OTP, use it.
2. Using an Authenticator app
Using an Authenticator app is one of the recommended ways to manage your 2FA as it reduces the risk of hacks and breaches significantly.
Authy (Free), a cloud-based Authenticator app that stores your 2FA, allows you to restore your codes if you change or lose your devices. You can also set up the app on multiple devices, like your phone and your laptop.
Other Authenticator apps like Google Authenticator are locally-based on a single device and do not have cloud-based features. While it is still debatable whether cloud-based or locally-based Authenticator apps are more secure, I prefer to have a cloud-based backup for a start. This is because I am unsure if I will always have access to my 2FA codes without a cloud-based service.
Since having 2FA is like a second key to the door of your digital world, you may not want to keep your key in too many places. You can choose to have your Authenticator app on either your phone or iPad, but do not connect them on every device you possess (e.g. laptop, Apple Watch etc). This is a safety measure in the event you lose your devices, or face a malware or trojan episode without your knowledge. Keeping the Authenticator app isolated will reduce your own chances of disclosing them unwittingly.
2FA works best when the devices are separate, making it difficult for hackers to have access to everything in one device. Since most of us have our phone with us all the time, we will be able to access the online services on our phone. When we are on our laptop, we can easily look for the 2FA on our phone.
3. Hardware 2FA key
A hardware 2FA key is the safest way to secure your accounts, as it requires the physical hardware itself. This makes hacking your account almost impossible unless they rob you of your hardware. Not many service providers offer this. If you really have online accounts that must never be hacked, you can consider one of the hardware 2FA like Yubico.
Conclusion
Always enable 2FA for your online accounts if the service provider offers the option. Use an Authenticator app like Authy and reduce the number of devices the app is on. The better you hide your second key (not under the flower pot), the harder it is for others to break into your digital house.