Two-Factor Authentication (2FA) is an important consideration for internet security, but it seems that many people still don’t know about it or maybe thought it sounded too confusing for the average internet user. I think the latter is partially due to lots of similar security technologies that all sometimes fall under the 2FA banner. I’ll talk about these a bit later.
What is 2FA? Essentially it means that you have setup an account so that you must have two separate identification factors to gain access. The most commonly used factors are passwords sent to your mobile device as SMS messages or through an app designed for this purpose such as 1Password, Google Authenticator, or Authy. Of course, the concept of 2FA isn’t limited to just internet accounts–withdrawing cash from an ATM is 2FA since it uses both your ATM card and your PIN.
Background Info on 2FA – You’re safe to skip to the next section if you’re not interested
Truth be told, Two-Factor Authentication a bit of a misnomer in that technically a username is also a factor, so a standard username and password technically count as 2FA even though the spirit of 2FA is to treat a username/password pair as a single item. This is one reason why 2FA is also referred to as Two-Step authentication.
Hard tokens and soft tokens are a similar technology, but are slightly different. Many technology companies use small key fobs that generate temporary number codes every few seconds, called tokens. To gain access to some corporate networks from outside the office you had to authenticate your username, password, and then enter the code from your key fob. These key fobs are generally referred to as hard tokens and must be physically replaced every few years. My own corporation has moved to using “soft tokens” that can be stored on a laptop or smartphone. To use, you open the soft token app, enter a PIN, and you gain the token to use for authentication for the next 30 or so seconds.
The use of tokens ensures that even if your laptop was stolen and a malefactor were to gain access to your password, they still would not be able to access your corporate intranet. With the rise of the internet and many people storing their financial info, data backups, and other vital information online, the same technology behind corporate soft tokens was utilized to help users protect their accounts.
1Password, my preferred password manager, classifies this technology as Time-based One Time Passwords (TOTP), which is probably a more accurate name in that the passwords given are for one-time use and will expire after a given time (generally 30-90 seconds). They maintain that receiving TOTPs on the same device that stores your normal username and password is not two-factor authentication since everything is on one device, which is another reason you’ll see the term two-step authentication rather than 2FA.
Should you use 2FA?
Is it worth the time to setup 2FA? I definitely think so. Even if you use excellent password security you might fall victim to a password sniffer on a public wi-fi connection. If you use the same password on more than one website, let’s say Target and Amazon, and Target is hacked, the hackers will very quickly run the usernames and passwords through a script that will try them on Amazon/Gmail/eBay and many other popular sites that could cause trouble for you. Using 2FA means that they must have your phone in addition to your username and password to log in from a new device.
There are also downsides to 2FA. Once set up, if you lose access to your phone you won’t be able to log into 2FA sites on new devices. Usually this is only a temporary setback as you’ll get your phone fixed or a new phone with the same number and you can then receive a SMS message with passwords again. Not to mention that almost all services that use 2FA also give you one or more emergency codes to store away just in case you lose access to your phone.
How do I get started?
I’d first visit TwoFactorAuth.org. They have a pretty exhaustive list of websites and apps that feature 2FA (and also have resources for you to help petition sites that don’t currently offer 2FA). Take a few minutes to see which of the services you use most that offer 2FA. Currently I use 2FA for Google, Dropbox, Facebook, Twitter, WordPress, and Evernote among others.
Now you need a plan for how you’re going to implement 2FA. Like I said above, I prefer 1Password–it’s a very robust password manager that also offers 2FA features. I love that all of my passwords and soft tokens are stored safely on my phone to be unlocked with my master password and/or my fingerprint. Sure it takes an hour or two to setup a password manager and enable 2FA, but the return from that investment will give you security with convenience as well as peace of mind. The drawback is that 1Password ain’t cheap. As I write this post a single-user license for Mac or Windows is $49.99 ($69.99 if you want both). The mobile apps are free, but to use 2FA you have to unlock “Pro” mode which costs $9.99. I used Appshopper.com and waited for a sale and caught the the Mac + Windows bundle at 50% off. I’m pretty sure you don’t need the desktop version of 1Password if you just want to use the mobile version, so keep that in mind. I also like that my 2FA data isn’t just on my phone, so if my iPhone is stolen I can authenticate from my iPad or Macbook.
Free options are out there and are pretty good. Authy is highly rated, and Google Authenticator both work quite well. I chose 1Password mainly for password management, but I find it is a better workflow for managing 2FA than either Authy or Google Authenticator and I love that I can copy and paste 2FA codes from 1Password directly into the webapp asking for the code.
If you want to know why I think it’s worth forking out enough money for dinner and a movie for 1Password, check out this comparison of popular password managers.
Keeping your data safe is important. In the war against malicious hackers, having 2FA is like bringing a bazooka to a knife fight. I highly, highly, highly recommend giving it serious consideration.