Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.
How to Set Up Two Factor Authentication
Since everything we do and who we are is online nowadays, there’s nothing more important than protecting our accounts from outside intrusion.
While passwords have been the best option to do that in the past, modern hacking equipment is so sophisticated, that unless you have a 12-16word password, you’re at risk.
What’s the solution then? Well, adding a second layer of security to your account in the form of a secondary password.
Of course, just having a second password you enter when logging in isn’t going to really help much if your passwords can be easily cracked. Instead, companies have started to widely introduce two-factor authentication, which has a physical component attached to the authentication process.
So what is two-factor authentication exactly?
What is Two-Factor Authentication?
Two-factor authentication, or 2fa, is a way for you to add another layer of security and protection to your account.
Rather than just leaving it up to a single password to protect any given account from being hacked, you add a secondary action that also needs to be authenticated before access is allowed.
The idea here is that even if one of these things gets compromised, such as your password, you always have the second authentication method to protect you.
In an ideal world, your 2fa method of choice is one that isn’t easily compromised, although that’s still a possibility, although we’ll discuss that later.
So what does this 2fa method look like?
Well, that can vary a lot depending on what you pick, although you’re probably familiar with text-based 2fa. You possibly need to use that for banks when making large purchases, or when logging in to a gaming platform, where 2fa has now become the norm.
There are, of course, other types of 2fa with their own advantages and disadvantages, but we’ll look at those in a bit.
Benefits of Two-Factor Authentication
So why use 2fa? Well, the main and most obvious reason is the added layer of security you get from using it. In the day and age, we live in where everything we do and who we are is saved online, it’s important that we keep that kind of information safe.
Therefore, adding a second layer of protection doesn’t hurt you at all, even if you use a good quality password manager.
Another benefit of 2fa is that it’s very low cost, and in some circumstances, completely free. In fact, the most popular type of 2fa requires nothing more from you aside from downloading an app to your phone and linking an account.
Of course, this method isn’t as secure as using a paid dongle, but it’s certainly good enough for what you’re getting.
Finally, 2fa is really easy to use, so aside from a few extra seconds, there’s really very little disadvantage. If anything 2fa is one of the few things that actually gives back more than it takes.
How Does Two-Factor Authentication Work?
Simply put, after you log in to your account like you normally would, you are then sent something called a “Timed-One-Time-Password” or TOTP.
This TOTP is usually sent either to your mobile device through a 2fa application, or to another, standalone physical device.
Once you receive the TOTP you input it into the login page which then verifies that (1) the TOTP is indeed correct and (2) that it’s been sent within the correct period of time.
In fact, some TOTP actually only last 20-30 seconds, so it can be incredibly difficult to spoof or hack these types of 2fas.
So how secure are 2fa and TOTPs? Well, pretty secure actually, usually most of them have high-level encryption. In truth though, there’s always a weakest link in the chain, and in this circumstance, it’s people.
While 2fas are incredibly secure, human beings are still prone to social engineering and other similar attempts at getting information. As such, using better quality 2fa methods and open-source privacy tools can help mitigate this vector of attack.
What Are the Different Types of Two-Factor Authentication?
If you decided that you should use a 2FA, here are the most popular types of it. However, besides 2fa, you might want to take a look at password protectors.
Alright, in that case, what are the different types of 2fa, and which one is the best?
A big advantage of authenticator apps is that they are tied to a mobile phone, rather than to a specific number.
That means that if you fall victim to a sim swap scam, or somehow lose access to your line, the hacker won’t be able to gain access to your authenticator.
Even better, authenticator apps don’t generally need a wifi connection or access to the internet. As such, you can use 2fa even when your phone doesn’t have any form of internet access.
That being said, the fact that it’s tied to your phone can also be a downside, depending on how well you take care of it. If the battery dies, the phone falls, or gets stolen altogether, well then you’re going to be in a bit of a pickle.
Usually, the solution here is to have a printed recovery code, usually in the form of QR, which you can use to recover your authenticator app on a new phone. Unfortunately, most people don’t tend to bother with that, so it’s not necessarily the best option unless you adhere to the best practices.
There’s also the issue that you might need some form of a privacy screen to stop others from just seeing the code when it pops up on the screen.
On the flip side of authenticator apps are SMS 2fas and they work the same way except you receive the TOTP on your phone through a text rather than on a centralized app.
The big benefit here is that your 2fa isn’t tied to the phone but to the sim card, and therefore if you don’t have access to your phone, that’s not a problem!
Even better, SMS 2fa works on non-smartphones or lower-budget smartphones that may struggle to function with too many apps installed.
Therefore, SMS 2fas can be a great option for those who don’t have easy access to smartphones.
Unfortunately, though, there are problems, like the previously mentioned swim swap attack. You also tend to have to provide your number to each website that uses SMS 2fa, which a lot of people might not be comfortable with.
Even if you are, that’s a lot of websites that you potentially have to enter your number in, and you never know if that information is being sold off to a 3rd-party marketing agency.
Of course, there’s also the fact that if your phone is stolen, the person can just take the sim out and put it in another phone to gain access to the TOTP.
The biggest issue though is that SMS 2fa is completely reliant on the phone network, so if you don’t aren’t anywhere near a cell tower, well then you don’t have access to your 2fa.
Security Keys & FIDO U2F
While the previous two solutions have been software-based, these ones are hardware-based, although they function on a similar concept. These have their own protocol called Universal Two-Factor Authentication, or u2f for short.
It’s essentially the same thing as 2fa, except it’s made specifically for a hardware dongle or fob.
So how does it work? Well, you buy your security key and then tie it to a variety of websites.
Then when you want to log in to a website with U2F, you connect the dongle to the USB port of your computer and that’s pretty much it! The dongle then looks to make sure the website is authentic, and the codes are all legitimate, and if they are, you gain access.
There are also a few fobs that actually have a screen and provide you with a code for you to use rather than plugging into a USB port. There are also some dongles that have Bluetooth or NFC.
So what’s the catch? Well, unfortunately, U2F is not a widely supported protocol. In fact, Chrome is the main browser that supports it, with Firefox and some secure browsers still working on it.
Another issue is that while 2fa through SMS or authenticator apps is free, security fobs are not. On average, you’re likely going to have to spend $10-$20 on one, which is quite a bit of money for a technology that isn’t very widely supported.
Nonetheless, U2F and security fobs are the best and most secure way to add another layer of security to your accounts. We just need to hope that they become more widely accepted going into the future.