Clearing up some 2FA myths.
You mean I have to do this every time I sign in?
If someone gets my second factor, does that mean they can just waltz into my account?
If I lose my second factor, doesn’t that mean I’m locked out forever?
Can’t a second factor be faked/spoofed/intercepted, and doesn’t that make it worthless?
I don’t have or want a mobile phone, so I can’t use two-factor.
There’s a lot of misinformation around two-factor authentication. This can lead people to avoid it, even though it’s one of the most effective ways to secure their online accounts.
I want to clear up some of the myths around two-factor authentication. It’s not nearly as confusing or as scary as you might think it is.
Become a Patron of Ask Leo! and go ad-free!
Two-factor myths busted
Two-factor authentication (2FA) adds a second check (something you have) to your password (something you know). You only use it when signing in on a new device or browser. Losing the second factor isn’t fatal: backup codes, recovery options, or spare keys get you back in. 2FA blocks almost all hacks. I encourage you to enable it everywhere.
What is two-factor?
First, we have to define what we mean by two-factor authentication (2FA), which is sometimes referred to as multi-factor authentication (MFA).
Traditionally, you sign into an online account with a username and password. These are things you know. By keeping the password secret, your ability to provide it theoretically proves that you are you and should be allowed into the account.
A second factor is typically something you have.1 For example, after 2FA is set up, after entering your username and password, you might be asked to prove you have access to your mobile device by entering a code that was sent to it. (I’ll discuss other forms of 2FA below. Not all require a mobile device.) Your ability to provide the code that was sent to your device proves you possess the physical device, your second factor.
Two factors got you into your account: something you know (your password) and something you have (your device).
Requiring that second factor adds security because even if a hacker somehow learns your password, they still can’t get into your account because they don’t have your second factor.
It’s NOT every time
Two-factor authentication is used only once2: the first time you sign in to an account on your computer. After that, your device becomes “trusted”, and signing in later requires only your password, as before.
Of course, it’s not quite that simple. Two-factor may kick in:
- The first time you sign in using a different browser.
- The first time you sign in on a different machine.
- The first time you sign in after clearing cookies.
- After some length of time defined by the service you’re signing into; for example, after 30 days.
- If the service you’re signing into detects “suspicious” activity on your account.
Those are rare, though, so in practice, you need to use two-factor only occasionally; certainly not every time you sign in.
Every sign-in from a hacker meets the “first time you sign in on a different browser/machine” criteria. Thus, they’ll always be asked to provide your second factor, which they don’t have.
A second factor alone is not enough
Remember, it’s two-factor authentication. You need both your password and your second factor to sign in that first time.
That means having your second factor fall into the hands of a hacker is an issue only if they also know your password.
The people who might find (or steal) your second factor are rarely the same people who might gain access to your password. The former, of course, need to be close enough to get their hands on the factor, and the latter are typically overseas working their scams.
If you lose your second factor, you can quickly disconnect it from your account by signing into the account and turning off or changing the existing two-factor configuration.
Related
Another Way to Protect Yourself From 2FA Loss
A little bit of preparation when you set it up can make losing your Google Authenticator 2FA device a minor inconvenience.#167669
Losing your second factor is an inconvenience, not a disaster
If you lose your second factor, you will not be locked out of your account.
There are two safety nets in place, plus a third if you take additional steps.
Backup codes. First, when you set up two-factor authorization for an account, you’ll be prompted to create and/or save a set of backup codes. Each of these codes can be used once in place of your second factor. Once you sign in, you can temporarily turn off 2FA or change it to a replacement device. The backup codes need to be stored securely, but as long as they’re accessible to you, you can always get back into your account.
Account recovery. Second, services offer many account recovery techniques (AKA “I forgot my password”) to confirm you are who you say you are without your second factor. They may send an email message to an associated recovery account, a text message to a different recovery phone number, or any of several pre-configured recovery options. After you jump through these additional hoops, the service may accept your sign-in without the second factor. This doesn’t invalidate 2FA as a security measure, because a hacker would have had to jump through all those hoops as well, which is extremely unlikely. Your ability to do so proves you are you.
A second second factor. There’s a third safety net you can set up yourself ahead of time: an additional second factor. When using hardware keys as 2FA (see below), it’s common to set up two keys, keeping one in a safe place as a backup. In that same vein, you could set up both SMS and app-based 2FA such that either could be used in the event the other is lost.
In all cases, and as long as you prepare (which most services require), losing your second factor is an inconvenience at worst.
Related
Beware the Middleman: How Your 2FA Could Be Compromised
Some forms of two factor authentication have vulnerabilities. Here's how to avoid it.#169710
Two-factor spoofing
There is no such thing as perfect security. Period.
That means that it is possible for hackers to spoof or bypass two-factor authentication in some situations. The two most common:
- Mobile numbers can be stolen (AKA “sim swapping”), redirecting all SMS messages to the hacker.
- Successful phishing attacks can intercept two-factor codes in real time.
#1 requires you to be individually targeted, and you can set up a PIN with your mobile provider to prevent unauthorized reassignment. For #2, you can pay close attention to signs of phishing to avoid being lured down this path.
Both of these spoofing techniques are rare and preventable. Any two-factor authentication is better than no two-factor authentication.
By using 2FA, you are stacking the odds in your favor, making it significantly less likely your account will be compromised.
Related
Why ANY Two-Factor Is Better than No Two-Factor
Headlines are proclaiming that two-factor authentication has been hacked. That in no way means you shouldn't use it. Your account is still much safer with two-factor enabled.#70786
Second factors
You don’t always need a mobile phone or a smart device.
This varies based on the online provider with which you’re setting up two-factor authentication, but often services allow a variety of devices to be used. These may include:
- A smartphone to run a TOTP (Time-based One Time Password) two-factor authentication app or service-specific authentication app.
- A mobile phone to receive SMS text messages.
- Any phone to receive codes via automated voice (sadly, this is rare).
- Email addresses unrelated to the account using 2FA. Your ability to receive a code, for example, at a specific pre-configured email address, can act as a second factor.
- Hardware keys such as the YubiKey.
- Any other device already signed into the account that can present a “Is this you signing in on that other device?” approval message.
- Your device’s camera or fingerprint reader.
I’ve seen each of these act as a second factor on various services. Which ones are offered is up to each service.
Why bother with all this?
To be clear, 2FA is very little bother. The only thing that really changes after you set it up is that the first time you sign in to a new device or browser, you need to use your second factor. After that, it’s the same sign-in process as before.
Password-based compromise happens daily. Due to bad passwords (which of course you don’t use — right?), malware, brute-force attacks, breaches, or other forms of compromise, accounts are hacked often. Two-factor stops 99%3 of these attempts dead in their tracks.
2FA provides peace of mind.
Do this
Take a few minutes right now and set up two-factor authentication on every account you have that supports it. Start with your password manager and then your email, financial, and social media accounts. Take care to follow the instructions carefully and create/save the backup codes you’ll be instructed to set up.
A few minutes today could save you a giant headache in the future.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: A different type of second (or third) factor can be something you are, meaning some physical characteristic about you, such as your face, fingerprint, iris, or something else.
2: As always, there are exceptions. “Never say never” and all that. But in general, and especially for consumer accounts, 2FA is required only the first time.
3: OK, I made that up, but honestly, I expect the real number to be more like 99.99%.
My problem is that I don’t have a cell phone. While more and more services are starting to add additional options, it’s amazing how many still rely on a cell phone number to text a code to (and that’s the only option they provide). The other day, we were creating a Yahoo! email account for my daughter. Yahoo! required that we input a cell phone number while creating the account. There was no option to choose a different method. There was no option to skip it. We had to borrow someone else’s cell phone, get the code (which to me sounds like the opposite of account security) to complete the account creation. Once created, we were able to delete the cell phone number and choose email instead.
My other issue is that if I close Chrome, often my cookies will be cleared the next time I go to Chrome, so I have to go through the hassle of 2FA on all my online accounts as I use them again. I’ve tried looking for an option that is clearing cookies automatically on me, but haven’t found it yet. So I generally tend to keep Chrome open all the time. I would rather not do that, but the constant 2FA thing gets really annoying.
Cookies should be cleared on exit ONLY if the setting to do so is selected. Normal default behavior is that cookies are preserved across browser restarts.
That normal behaviour is what I would like, but I can’t see to find the setting in Chrome.
Very nicely covered, Leo, as usual.
There is one additional thing worth mentioning about two factor authentication (2FA). In my experience, well programmed web sites that require 2FA do not “trust” your first login by default. You must generally click a checkbox to indicate if you want to be asked for a second factor in the future. Less obviously, some sites ask if you are on a public or private computer.
Users need to know the “trust” concept may require answering such questions and the consequences of how they answer.
I personally do not accept the “trust” offer for higher-risk sites, like banking or investment websites where the risk of loss is higher than say, a catalog or news site.