Everyday Security in an Online World

Use Two-Factor Authentication

The problem with passwords

For many years we’ve used passwords to prove our identity when logging into apps and websites. The idea is, of course, that since your passwords are known only to you, your accounts and data are kept private.

And this remains generally true: in order for someone else to get into one of your accounts, they’d need to know your password. The trouble is, this isn’t as unlikely as you might think.

As you learned in the previous chapter, the secrecy of a password can be compromised in several ways:

So, as we depend increasingly on online transactions, and store more of our data in the cloud, the idea of only a humble password standing between hackers and our private information is worrying.

In summary, it’s not that passwords don’t do what they’re meant to — it’s that the chance of a stranger obtaining one of your passwords, and the consequences if they do, create an unacceptable risk.

Second factors

With two-factor authentication (2FA) in place, your password is only half of what you need to log into an account. You also need a second factor, such as:

Each of these has advantages and disadvantages. For example, text messages are really easy, but sometimes you’re in a place where you can’t get a phone signal; and in rare cases, they can be intercepted. A USB device works anywhere, but is tiny and easy to lose if you’re not careful.

Authenticator apps

A good balance of usability and security can be had with an app on your smartphone called an authenticator:

Choosing an app

Many authenticator apps are available, but you only need one because almost all websites use a common standard. For example, Microsoft Authenticator isn’t limited to making codes for your Microsoft account: you can add your Google account too, and others like Amazon and Facebook. Equally, Google Authenticator can make codes for your Microsoft account and more.

Setting it up

Adding your various accounts to your authenticator app can be quite tedious, so I recommend doing it over a period of days or weeks. Your email and social media accounts are most important, because they’re valuable prizes for hackers, so do those first:

  1. Visit the website on another device, like a computer or tablet, and find the page for managing your account. The link is typically in the top-right corner, with an icon of a person’s head, the initial of your name, or your profile picture.
  2. Find the option to turn on two-factor authentication. It should be under a heading like ‘security’ or ‘sign-in options’. Some websites call it two-step verification (2SV) or multi-factor authentication (MFA).

  3. Choose the option to use an app, and the website will show a QR code. In the authenticator app on your phone, go to add an account, and scan the QR code with your phone’s camera.
  4. A short numeric code appears on your phone, and the website (on your computer or tablet) asks you for it. Type the code into the space provided to confirm that the account is working with your authenticator.

Logging in

When you return to log in the same website in future, it will first request your password as normal. Then it will ask for the code currently displayed in your authenticator. This changes periodically, usually every thirty seconds.

The code must be used within a certain amount of time – though there’s a leeway after it changes, if you haven’t finished typing it – and each code can be used only once. In fact, its proper name is a one-time password (OTP) or one-time passcode.

Authenticator apps generate codes mathematically based on the current date and time and a longer, pre-agreed secret that was passed from the website to your phone via the QR code. To allow for inaccurate clocks, it usually doesn’t matter if you enter a code that’s very recently lapsed or, if your clock is fast, one that’s been generated a bit early.

Trusted devices

A site may offer to remember or ‘trust’ your particular computer, tablet or phone so you don’t suffer the inconvenience of two-factor authentication every time you log in. In fact, on a device used only by you, there’s no need to ever log out of your email or other accounts — provided the device itself is locked with a password or PIN when unattended.

So it may be the case that you rarely get asked for an OTP. Your account is still protected, and if someone tried to break into it from a different device, they’d be thwarted by the two-factor authentication — even if they knew your password. This is the ideal kind of security: minimum fuss for you, and maximum frustration for criminals.

Another benefit of trusted devices is that you can sometimes use one to authenticate another. For example, if your phone runs the Android operating system and you also buy an Android tablet, the phone might show a question like ‘Are you trying to sign into a tablet right now?’ and you can choose ‘Yes, it's me’, skipping the need for an OTP or even your password.

Alternative second factors

Not everyone has a smartphone, and it’s likely that for the foreseeable future most services will continue to offer text message or phone call verification as a second factor.

In fact, even when you do use an authenticator, it’s common to register your phone number with a website so that if your app is unavailable you can still perform two-factor authentication. The principle is the same, but the OTP is sent to you via text message or read to you in a voice call.

Recovery codes

As a final precaution against getting locked out of your own account, many services also offer a printable recovery code or codes. Keep these safe with other important paperwork, so you know where to find them in the hopefully unlikely event that you lose your phone and can’t get an OTP via any method.

What you can do

If you found this useful, you can support my work by buying me a coffee.