Use it to keep hackers out.
We rely on passwords to protect our online security. At the same time, hackers seem to be getting better at figuring them out!
In response, security folks created something called “two-factor” or “multi-factor” authentication, which uses two different types of information. Both must be correct to prove you are who you say you are and give you access to the account.
It’s something I strongly suggest you use. Two-factor authentication keeps your account secure even if your password is compromised.
Become a Patron of Ask Leo! and go ad-free!
Two-factor authentication adds something you have — like a mobile device — or something you are — like your fingerprint — to something you know — your password — to confirm you are authorized to access an account. There are contingencies for losing your second factor, as well as ways to make two-factor less intrusive in day-to-day use. Even if they know your password, hackers can’t get in with two-factor enabled. This is how two-factor authentication keeps you secure.
The word “authentication” gets thrown around a lot.
All authentication means is proving that you are who you say you are. It’s validating you are authentically you, not some impostor (or hacker).
It’s important because once you’ve proven you are who you say you are, you get the right to use the things that are yours. Once you prove you are you, for example, you’re allowed to access your email account.
In person, we use physical things, like a photo ID, to prove we are who we say we are. Online, things are more difficult.
What you know
Authentication has almost always been in the form of something you know. You know your username and the password that goes with it. Since only you should know your password, your ability to type it in proves you must be you and no one else.
If you forget your password, the answers to a set of security questions might be used instead, which still boil down to something(s) you — and hopefully only you1 — know.
Something you know is easy to transfer from one person to another. When it’s on purpose, that’s okay, albeit it less than secure. When someone who shouldn’t know your password learns it, something you know becomes something they know, too. The result? They can impersonate you, too.
What you have
Two-factor authentication typically adds something you have to how you prove you are you. When it comes time to authenticate, you need two things:
- Something you know: you must know your username and the password that only you should know.
- Something you have: you must possess something specific that is also completely unique to only you.
How you go about proving you have something in your possession is pretty hard to do securely — until you factor in encryption. For example “what you have” might be a smartphone running an application that has been associated with your account using encryption. More on that in a moment.
What you are
There’s an additional factor sometimes combined with a password, and sometimes even a password plus something you have:2 something you are.
Most commonly, this is biometric data like your fingerprint or your face, each of which is, in theory, unique to you. When it comes time to authenticate, you need two things:
- Something you know: you must know your username and the password that only you should know.
- Something you are: you must provide your fingerprint or allow a facial scan, those things again being completely unique to you.
Fingerprint and face ID are fairly common of late, though it’s generally used by itself as a single factor. Only when combined with something you know and/or something you have is it considered multi-factor.
Proving what you have
- You install the Google Authenticator app on your smartphone.
- You “associate” the Authenticator with your online account. This is usually done by scanning a QR code provided by the set-up process for that account, or by entering a code that’s displayed.
The app now begins displaying a six-digit random number that changes every 30 seconds.
In reality, the number isn’t random at all — it’s a complex function of encryption keys created as part of the process you just completed. It’s completely unique to your account and your smartphone. Only the app and the service know what the number should be at any point in time.
If you can type in the correct number provided by the app when requested by the service, it proves you have the device running the app.
In this case, your two factors are:
- Something you know: the username and password to your account, which you prove you know by typing in as usual.
- Something you have: your device, which you prove you have by entering the number displayed by the Authenticator app when requested.
Your log-in process now requires you to provide your username and password, and then provide the random number currently being displayed by your smartphone. Either one by itself is not enough.
Using SMS for two-factor
An alternative (for those who don’t have a smartphone or who just prefer it) is to use text messaging (SMS) to prove you have your phone.
Set up is simple: you give your mobile number to the service and tell them you want to use it for two-factor authentication.
Your two factors are:
- Something you know: the username and password to your account, which you prove you know by typing it in as usual.
- Something you have: your phone, which you prove you have by entering the random number text-messaged to it when you try to log in.
Your log-in process now requires you to provide your password and the number texted to your phone.
Some systems can use automated voice readout of the number, meaning you don’t need to use texting at all; you don’t even need to have a mobile phone — a landline will do. When you try to log in, a voice call is made to your phone number and an automated system reads you the number you need to type in.
While there are occasional stories of SMS being hacked, the reality is that using SMS two-factor is still much more secure than not using two-factor at all.
Making two-factor less annoying
“You mean I have to do this every time I log in?”
After you log in once using two-factor authentication, most services let you set how often the second factor will be required on that device. You usually have the following options:
- Never again on this computer. This means this computer is trusted. You can log in on it again without needing the second factor. (Note: clearing cookies usually resets this per-browser setting.)
- Every-so-often on this computer. This usually means the service will not ask for a second factor again for some number of days, often 30. (Note: clearing cookies will reset this, too.)
- Always ask. Two-factor authentication is always required.
This lets you tailor exactly how aggressive two-factor authentication should be.
On a computer at home, you might never use two-factor, but on a mobile device or laptop you travel with, you might require it always be used in case you lose the laptop. This is exactly what I do.
Two-factor protects even if you enable and never use it
“Why would I choose ‘never ask again’?”
“Never ask again” can apply only to a computer on which you’ve successfully used two-factor at least once. On any computer you’ve never used, two-factor will always be required at least once.
That means the computer of a hacker who has stolen your password can’t be used to get in.
This is how two-factor authentication keeps you secure: Even if they know your password, hackers cannot log in if you have two-factor authentication enabled.
Losing your second factor
“What happens if I lose my phone?” (Or other two-factor device).
When you set up your account with something like Google Authenticator, you will also be given a set of one-time passwords or recovery codes. Save those someplace secure. You can log in with each of those passwords exactly once without requiring your second factor.
After losing your second factor, you would:
- Log in using a one-time password.
- Temporarily disable two-factor authentication.
- Change the password for safety (optional, but recommended).
- Re-enable two-factor authentication, associating a new phone or another two-factor device.
I save the one-time passwords in an encrypted file.4
Some services, like Microsoft, will also let you set up a recovery code independent of two-factor authentication. I recommend you do that, too.
If you’re using SMS as your two-factor mechanism, recovery can be as simple as going to your mobile provider and getting a replacement phone while keeping your mobile number. Texts are sent to your mobile number and will follow you to your replacement phone.
I have two-factor authentication enabled on all of my accounts that support it.
For me, that means, among other things, my bank, Amazon, Gmail, LastPass, Dropbox, Facebook, Evernote, Microsoft, TeamViewer, and even my World of Warcraft account.
Unfortunately, not every service supports two-factor authentication. I strongly recommend you consider it for all your accounts that do.
You’ll also find that in addition to or instead of the two common methods I mentioned above — Google Authenticator and text messaging — several services also have other approaches to two-factor. Facebook allows you to use the Facebook mobile app to provide the code. Some services provide keychain fobs that display the randomly changing number. Other services use devices like the USB-based YubiKey.
Pick what makes the most sense to you, but add two-factor authentication to increase the security of your most important accounts, if not all of them.
Footnotes & References
1: Since we’ve made so much of our information public in recent years, these questions have fallen out of favor. Too many other people might be able to discover the answers to your so-called “secret” questions.
2: Resulting in three-factor authentication. This is one of the reasons you’ll also see this enhanced security referred to as “multi-factor”, to cover the possible combinations.
3: Or the compatible app, Authy. Authy can be installed on multiple devices, allowing any to be used as your second factor.
4: This is an excellent use, for example, of the secure note feature in many password managers — with the exception of the one-time codes for the password manager itself, of course.