Two-Factor Authentication Keeps the Hackers Out

We rely on passwords to protect our online world. At the same time, hackers seem to be getting better at deciphering them.

In response, security folks created something called “two-factor” or “multi-factor” authentication.

It’s something I strongly suggest you understand and consider using.

Two-factor authentication relies on two different types of information, both of which must be correct in order to confirm your identity.

Become a Patron of Ask Leo! and go ad-free!

Authentication

When we talk about security and passwords and the like, the word “authentication” gets thrown around a lot.

All authentication means is proving that you are who you say you are. It’s validating you are authentically you, and not some impostor.

It’s important, because once you’ve shown you are who you say you are, you have the right to use the things that are yours. Once you prove you are you, for example, you’re allowed to access your email account.

In person, we can use physical things, like a photo ID, to prove we are who we say we are. Online, things get more difficult.

What you know, and what you have

Authentication has almost always been in the form of something you know – for example, a password. Even if you forget your password, the answers to a set of security questions might be used instead, which still boil down to something(s) you know.

Something you know is easy to transfer from one person to another. When it’s on purpose, that’s okay. When someone who shouldn’t learns your password, something you know becomes something they know, too. The result? They can get at your account.

“Two-factor authentication” adds something you have to the requirements to prove you are you. When it comes time to authenticate, you have to have two things:

  • Something you know: you must know your password.
  • Something you have: you must actually possess something specific that is completely unique to you and only you.

When you think about it, exactly how you go about proving that you have something like that is actually pretty hard to do.

Until you factor in encryption1.

Two-factor authentication using an app

A common tool to provide two-factor authentication is the Google Authenticator app. It works like this:

  • You install the Google Authenticator app on your smartphone.
  • You “associate” Authenticator with your online account. This is usually done by scanning a QR code provided by the set-up process for that account, or by entering a code that’s displayed.

Google AuthenticatorThe app now begins displaying a six-digit random number that changes every 30 seconds.

In reality, the number isn’t random at all – it’s a complex function of encryption keys created as part of the process you just completed. It’s completely unique to your account and your smart phone. Only the app, and the service you’ve connected to, know what the number should be at any point in time.

If you can type in the correct number provided by the app when requested by the service, that proves you have that specific smartphone.

Your two factors are:

  • Something you know: the password to your account, which you prove you know by typing it in as usual.
  • Something you have: your phone, which you prove you have by entering the number displayed by the Authenticator app when requested.

Your log-in process now requires you to provide your password, and then provide the random number currently being displayed by your smart phone. Either one by itself is not enough.

Two-factor authentication using SMS

An alternative (for those who don’t have a smartphone, or who just prefer it) is to use text messaging (SMS) to prove you have your phone.

Set up is simple: you give your mobile number to the service, and tell them you want to use it for two-factor authentication.

Your two factors are:

  • Something you know: the password to your account, which you prove you know by typing it in as usual.
  • Something you have: your phone, which you prove you have by entering the number text-messaged to it when you try to log in.

Your log-in process now requires you to provide your password, and then provide the number texted to your phone.

Some systems can use automated voice readout of the number, meaning you don’t need to use texting at all; you don’t even need to have a mobile phone – a landline will do. When you try to log in, a voice call is made to your phone number, and an automated system reads you the number you need to type in.

Making two-factor less annoying

Once people understand two-factor, the first reaction is usually a horrified, “You mean I have to do this every time I log in?”

Actually, no.

After you log in once using two-factor authentication, most services let you limit how often the second factor will be required on that device. You usually have the following options:

  • Never again on this computer. This means that this computer itself is trusted. You can log in again on this specific computer without requiring the second factor. (Clearing cookies usually resets this.)
  • Every-so-often on this computer. This usually means the service will not ask for a second factor again for some number of days – often 30. (Once again, clearing cookies will likely reset this.)
  • Always ask. Two-factor authentication is always required. This is the default.

This lets you tailor exactly how aggressive – and annoying – two-factor authentication should be.

On a computer at home, you might never use two-factor, but on a laptop you travel with, you might require it always be used, just in case you lose the laptop. This is exactly what I do.

Why two-factor protects you even if you only enable and never use it

So why would you enable two-factor and yet still say “never ask again”?

“Never ask again” can apply only to a computer on which you’ve successfully used two-factor at least once. On any computer you’ve never used, two-factor will always be required at least once.

That means the computer of a hacker who happens to have stolen your password can’t be used to get in.

Even knowing your password, the hacker cannot log in if you have two-factor authentication enabled on the account.

Losing your second factor

One fear that comes up when people look into two-factor authentication is “what happens if I lose my phone?” (or other two-factor device).

When you set up your account with something like Google Authenticator, you will also be given a set of one-time passwords or recovery codes. Save those someplace secure. You can log in with each of those passwords exactly once without requiring a second factor.

Usually you would:

  • Log in using a one-time password.
  • Temporarily disable two-factor authentication.
  • Change the password for safety (optional).
  • Re-enable two-factor authentication by associating a new phone or other two-factor device.

I save the one-time passwords in an encrypted file.

Some services, like Microsoft, will also let you set up a recovery code that’s independent of two-factor authentication. I recommend you do so.

If you’re using SMS as your two-factor mechanism, recovery can be as simple as going to your mobile provider and getting a replacement phone while keeping your mobile number. Texts are sent to your mobile number, and will follow you to whatever phone you switch to.

Two-factor availability

I have two-factor authentication enabled on everything that supports it. For me, that means, among other things, my bank, Amazon, Gmail, Lastpass, Dropbox, Facebook, Evernote, Microsoft, TeamViewer, and even my World of Warcraft account.

Unfortunately, not every service supports two-factor authentication. I strongly recommend you consider it for those accounts that do.

You’ll also find that in addition to, or instead of, the two common methods I mentioned above – Google Authenticator and text messaging – several services also have other approaches to two-factor. World of Warcraft, for example, has its own app. Facebook uses the Facebook mobile app to provide the code, or SMS if you don’t have the app. Some services will provide key chain fobs that display the randomly changing number. Other services can use devices like the USB-based Yubikey.

Pick what makes the most sense to you, but strongly consider adding two-factor authentication to increase the security of at least your most important accounts.

Podcast audio

Play

Footnotes & references

1: Pun completely unintentional. 🙂

47 comments on “Two-Factor Authentication Keeps the Hackers Out”

  1. It’s very worthwhile exploring the related articles and not just assuming the current practice of Secret Questions have got you covered as the 2nd step of verification. Secret Questions are a pretty weak method of security as the Secret Answers are frequently known by friends, family, work and class mates.

    Though Leo has a creative way of making Secret Answers more secure for those sites that only have Secret Questions.

    • I’m finding that secret questions are, thankfully, falling out of favor. Many sites that used to have them have replaced them with other forms of validation.

      • As long as a system created or understood by humans is relied upon, another human or machine created by a human will eventually crack it. Trying to type a bunch of letters and numbers is really too easy and then they want you to do a ‘Turing’ exercise and choose items that have the same characteristics that can really be frustrating if you can’t really get a grip on their concept or see it well…those aren’t even useful for the handicapped.

        The answer hasn’t been thought of yet because they are too busy trying to see if you are AI.

  2. I live in India, but travel to the U S once in a while since all my children are settled there. I am hesitant to activate the Google two factor authentication because my Indian phone does not work when I am in the U S. What would be the preferred option in such a case.

    • If you use the google authenticator app on your phone it should work. The app does not require connectivity or phone calls, it’s just a program that runs on the device.

    • Google will allow you to pre- download ten codes that can be used when you travel. The codes are only used one time and then you need to go on to the next.

      BTW: YOU CANNOT USE EUDORA WITH TWO PART AUTHENTICATION! Eudora only allows one password – no codes! Then Google blocks the attempt to download your gmail!

      • I believe you can use Eudora and other email programs that can’t do two-factor by looking for and setting up “application passwords”. Check the Google options for that.

        • FB requires a mobile phone. i tried to use my land line for two factor and FB has SMS only. i`m deaf and have an automatic caption phone. FB two factor will not work for me. i`ve written them about it but without a premium account they won`t answer me.

          • I’d love to know why they think we all have cellphones anyway. Some of us care to eat and live in a house.

    • Depends ENTIRELY on the online service you’re talking about. As I mention in the article, SOME will actually read you a number over a voice line.

  3. Leo, this problem first showed up today on your newsletter page: an annoying pop-up on the left edge of the page that gives me a “choice” to share with facebook, twitter, etc. It covers part of the text that I am reading. Is there a way to get rid of it?

    • That sort of a thing on a web page is usually put there by the web designer. I would think that maybe Leo is asking us to help share his page. So I’m going to click it and share the page when I like an article.

    • I will be adjusting the left margin as soon as I can. (I’m on the road.) Connie’s comment is spot on – sharing is one of those things that’s pretty critical to Ask Leo!’s survival. I’ll work to make it less annoying.

    • I was having this problem a while back and it was corrected enough to read the article content by reducing the zoom to no more than 100 %.

  4. I. Kertesz – Answer: I use Firefox as my main browser. I installed an add-on called “No Squint” which makes web page font larger or smaller. Normally I have it set for very large web page font. I had the same problem you did. The pop-up on Leo’s page blocked the wording. I had to use No-Squint to reduce the size of the font since I could not delete the annoying pop-up. Once reduced the font I could then read it.

  5. My wife and I have cell phones through AARP. No text. No internet. Voice only. The company is Consumer Cellular. Two phones – Two people – 600 shared minutes: Total price = $35.00 per month! There should be a way for two-factor authentication to work without the use of smart phones. Some of us are retired and cannot afford smart phones.

    • Most 2 factor authentication sends a normal text message which should work on any cell phone. Some even offer the option of a voice message which would even work on a land line.

    • You might check out TracFone. I’ve had their service since March. Depending on how many minutes you use, you can end up easily with two accounts under $35/month combined, and have access to phone calls, texts and internet. I got this phone:

      LG Optimus Dynamic II – LG39C – Android Prepaid Phone with Triple Minutes (Tracfone)

      and prepaid a year of service at tracfone.com. When you check them out, be aware that when you have an ANDROID phone like the LG I gave you the link for above, you get TRIPLE the minutes that are listed on the card you get at Walmart or other stores, or various offers online, and that’s that number of minutes phone call, that number of text messages plus that number of megabytes of data.

      Do check it out. I am still very satisfied, but at 63, I don’t make a lot of phone calls, but I love the texts that Amazon sends me to tell me when packages should be delivered. (And if you add a new card before your “x” days of service runs out, all of your accumulated minutes, texts, and megabytes that you haven’t yet used carried over to the renewal period, plus triple the number that you just added.

      • My first cell phone was a TracFone. It was just for emergencies. When I finally had an emergency there were no minutes left to use. You not only used minutes by using the phone, you lost so many minutes a month by carrying it around in your pocket or in your glove box. I don’t know if they still do it that way now a days.

  6. I. Kertesz…………..I just noticed that there is a double blue arrow at the bottom of the pop up. Click on those arrows and the popup will disappear.

  7. Hi Leo,
    The two factor authentication has really saved my gmail account recently. One night, I kept receiving the codes for my gmail account (5 times). Then, it stopped. As my wife and daughter sometimes open and read mails, I thought one of them should have opened it. My wife was with me at home, my home computer has not been in use, and my daughter confirmed Not having opened my mail a/c. Obviously, my password has been stolen. I immediately accessed my account and changed the password (tougher). As of today, my account looks safe.

    I wanted to thank Google for it, but it is difficult to find a Mail ID for it.

    • Shanker, click on the gear icon in the upper right then click send feedback. you can thank Google that way. you`ll only get an answer if you have a premium account.

  8. I’m probably not understanding something or just not thinking it all the way through. What if someone STEALS your phone. They now have access to both factors. They have access to your email and your text messages and your phone calls so TFA no longer helps you stay secure, correct? Again, what am I missing? I have a passcode on my phone.

    • Right. If they hack your password, AND steal your phone they can get in. Those are two separate things, however. Given that most hackers are very, very far away from you (typically overseas) the likelihood of them having stolen your phone is next to nothing. 2FA remains incredibly robust.

      • In South Africa there have been cases where hackers, who have obtained a password to a banking account protected by 2FA, have been able to obtain a replacement SIM card linked to the victims cell phone (as part of a replacement SIM process). The the victim’s cell phone then goes off the air as it’s SIM has been deactivated while 2FA text messages go to the new SIM card (which is in the possession of the attackers).

        2FA is better / stronger than single factor authentication but it is still vulnerable to attack.

        In the case of a lost or stolen cell phone a “remote wipe facility” is strongly advisable. There is just too much personal data on them and every app adds to the attack surface available to a hacker.

    • If they steal your phone, it’s not likely that they will have your passwords unless you have them stored unencrypted on your phone.

      • It turns out that the report is based on incorrect information, but it’s a good reminder to keep passwords secure and consider 2FA anyway.

  9. Initially I resisted 2FA mostly because I didn’t understand how it worked. I used to think “if I lose my Android I won’t be able to access my accounts”. Once I made the effort to see how it actually worked I was hooked. I’ve been using 2FA for various accounts/services that support it for a couple of years now and wished I had made the move sooner.

    I also use LastPass for password management and keep a copy of my passwords in a volume encrypted by TrueCrypt. The master passwords for LastPass and TrueCrypt are memorized. I also have a physical copy in a safe place. With respect to my home PC, I never choose the “trust this device” option – I always want that SMS sent to my phone. It can be a pain in the you-know-what but then I consider the alternative – I suffer a break in while I’m away and that PC goes missing.

  10. Banks and credit card companies usually offer the options to send you an email or a voice message, or have you call a number yourself to get the confirmation code. Very helpful for those like me who work from home and don’t have cell signal at home. 2FA that only works with text messages is useless to me most of the time.

      • In Europe, all banks not only offer 2FA, they insist on using it. I wish the US would adopt that policy.

        • I don’t even have a cellphone, I can call the bank and find my information with the automated system or talk to a banker live and I just get my cash out and pay for it directly or purchase the transfer method required.

          No muss and no fuss, no Mr. In-between.

    • That’s true, but it’s my understanding that this disrecommendation of SMS as a second factor is more relevant for governmental agencies and businesses which might be specifically targeted. For the average user, the odds of someone hacking into your SMS communications is next to nil.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.