Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

20 comments on “How to Protect Yourself From a Two-Factor Hack”

  1. For websites that don’t support hardware keys, Yubico has an authenticator app on the Microsoft Store that works with a Yubikey.
    Users can set up the authenticator app on a website by inserting the Yubikey and then scanning a QR code or copying the accompanying text code into the entry for that website.
    I have a text file containing the authenticator codes which allows me to setup more than one Yubikey to work with the authenticator.
    When a site asks for a TOTP code, I open the app, insert the Yubikey and copy/paste the resulting code.
    There is also an Yubico app in the Google Playstore for Android phones that works with NFC capable phones and NFC Yubikeys.
    This combines the protection of a dedicated authenticator app and a hardware key.

  2. My wife and I share access to email and other data stored in the cloud, but we do so from different computers and cell phones. Messages to our cell phones as part of 2FA don’t work for us unless the message is sent to both cell phones, but I don’t see a way to set that up. Security dongles don’t work with our phones, and don’t work with multiple computers conveneniently. Email checks can work, but often, it seems the email messages don’t arrive within a convenient time frame. Sometimes, they end up in our email server’s spam filter, which takes time to find and untangle. Sometimes, they don’t arrive at all. We haven’t found a robust way to employ 2FA.

  3. Agreed Mark. I often read some folks opinion that different passwords are unnecessary … so wrong.

    I would add using different user names and if the entity requires that your email address be your user name, throwaway email addresses are available to a lot of folk. Then each account has a different user name even if it is an email address.

    Am I correct in thinking that makes your other accounts more secure should one be hacked? Either locally with you, or with the entity.

    And don’t get me started on secret answers to questions! It is my favorite peeve that folk use info easily found in their online profiles.

  4. I found that a huge disadvantage with a hardware security key is that you must be fanatical about having access to that key.

    With three smartphones and a dozen different computers in a half dozen physical locations, I found that extremely inconvenient. There were many times, when, not only did I not have the key with me, I wasn’t 100% sure where it was!

    There was also the issue of literally losing it forever and ensuring (in advance!) I had a way out (in?) if (when) that happened!

    Short of having this thing on a retractable lanyard around my neck or tie wrapped(!) to my primary phone, this was not a reasonable situation. I quickly backed out of that approach.

    Meanwhile, the perils of SMS for 2FA are way overblown by a lot of writers. In practice, it along with biometric locking, ends up being plenty “good enough” for the majority of my clients.

    Except… one who is too old and confused to use an SMS capable phone! Given the number of accounts that require an SMS capable phone, I’ve had to use one of mine and make sure she can call me (on her landline) when a code is needed.

    I was briefly able to use SMS to a Google Voice phone number for this client but, unsurprisingly, VOIP numbers in general are increasingly not allowed – for obvious reasons.

  5. “And don’t get me started on secret answers to questions! It is my favorite peeve that folk use info easily found in their online profiles.”
    Who would ever include their grade 3 teacher’s name in their own profile? Or even their own mother’s middle name, for example?
    Also, I think you hit on a key element of all security requirements, Leo: anyone who thinks they are at risk of some exotic “digital security attack” had better have waaaay more than a couple of hundred bucks in their savings account! I think more than a few folks get “caught up” in the James Bond factor of securing their Joe Schmoe assets.

    • Password managers are great for sites that want secret answers to standard questions. The answers can be added as a note to the pass card for that site. And I’ve found that the answers don’t have to make sense to the question.
      In fact, I’ve had to add the answers as a note because even I can’t remember what I answered:)
      Some of us with time on our hands play around with these security methods to learn how they function more than out of fear of getting hacked. Although a security breach on some website can be a pain.
      Someone once filed my Federal tax return for me in the hope of intercepting my tax refund. The IRS caught it before any damage was done, but one doesn’t have to have a large bank account to get hurt.

    • Having little money in your bank account won’t stop hackers. The most common hack is phishing. It masquerades as a real bank, and when you try to log in, they get your email and password. Second factor authentication would stop the hacker as they don’t have that key, app, or phone number. In most cases of phishing, SMS auhentication is fine. The phisher wouldn’t know who you are in that case.

    • I always answer the security questions with a lie or a phrase like “How the hell should I know?” And there are usually three or four questions. You can use the same lie for all of the questions.

      And if the option exists to received the 2FA code via voice I choose that over a text.

  6. I used the Yubikey with the Yubico authenticator app like Mark but it became too much of a hassle to always have the key with me so I switched to getting codes from Bitwarden.

    • I’m a “belt and suspenders” type when it comes to account security. In other words, I’ve set up multiple ways to get into my online accounts. The Yubikey is for my main ones.
      I’ve found that most websites that allow the use of an authenticator app also provide for adding another for backup purposes. I also use Bitwarden’s authenticator feature for some accounts and the Microsoft Authenticator for some others. The Yubikey is needed to sign into Bitwarden, the way I’ve set it up it is the only way to sign in.
      Also, I have multiple Yubikeys, including a couple of USB-C keys, one of which is almost always plugged in to the laptop or desktop PC which I’m using. Another is a USB-A that is also NFC capable that stays on the key ring with my car and house keys. Hardware keys such as the Yubikey and others are so uncommon that most people don’t recognize one for what it is. At least that has been my experience.
      I’ll concede that Yubikeys aren’t cheap but they are near indestructible. And it is a pain setting up multiple keys to be used for each account. But it is essentially a one and done exercise. I definitely advise anyone who uses them to have more than one in the event one is lost. Account recovery methods for sites that a key is used for can be an ordeal if not set up beforehand.

  7. Grade 3 teacher’s name, probably not. However, I’ve also seen poorly considered security questions, like “What is your favorite restaurant?” Not only something that is probably discussed online, but also might change over the course of a few years.

    A multi-lingual friend of mine has the best solution I’ve ever heard of: She translates the last word of the question into her other language, and that is her answer. I suspect she will never be hacked.

  8. If someone steals your Samsung Android phone, but you have it PIN protected, wouldn’t your PIN keep them from accessing and using the phone?

  9. 2FA should offer to use transmission on other than SMS so one can take advantage of Face Recognition on apps like WhatsApp which also offer end to end engryption.

  10. Leo –

    Regarding which two-factor technique to use, is receiving a voice message with the code on a landline phone better/safer than receiving a text message with the code on a mobile phone?



Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.