Using strong passwords is a great first step in increasing the security of your online logins. But even with a password in place that can’t be easily guessed, an account is vulnerable to other types of attacks. One common scenario involves someone impersonating you and resetting your password to one they choose. The result is that they have access to your account, while you are locked out. To defend against this type of attack, many web services allow you to set up two factor authentication (2FA).
Something you know and something you have
A commonly used rule for security is that a user should be required to provide two factors to prove their identity: something the user knows and something the user has. Perhaps the most common example of this in daily life is the chip and pin system used by credit cards (widespread in Europe, and currently gaining adoption in the U.S.).
2FA for credit cards:
- Thing you have: credit card
- Thing you know: PIN
Online, it’s long been common for a password to serve as the thing you know. But until recently, adding a second factor (a thing you have) required specialized hardware. With the widespread adoption of smartphones, it’s become common for web services to link a user’s account with an authentication app running on the user’s smartphone. This app generates a unique number, commonly 6 digits, according to an algorithm known only to the app and to the web service itself. This number is regenerated every 30 to 60 seconds. By specifying the current value in the smartphone app when logging in, a user proves they are in possession of the phone. As an alternative, some sites simply send a text containing a unique value to a mobile number associated with your account and ask you to enter this as you’re logging in. Either method lets you specify your mobile phone as the thing you have and add it as the second factor for 2FA.
2FA for web services:
- Thing you have: mobile phone
- Thing you know: password
Setting up 2FA using text messages
While many large web services support 2FA, such as social media sites and large financial institutions, smaller web services often don’t. In addition, sites that support 2FA often don’t require it, so it can take some work on your part to identify the settings and steps required to set it up. Fortunately, 2FA settings are generally well documented, so a simple web search will generally turn up the appropriate steps in the help section for the site in question.
For instance, Twitter provides 2FA access on the main Settings page in the Security section. If you already have 2FA set up, this section indicates that and provides a link for checking your settings. Otherwise, you can click the button to start configuring 2FA.
Once you begin the process, the site provides a short overview of how their 2FA process works, and then walks you through the process of providing a phone number and verifying that you have access to the phone.
The final step is to generate and save a backup code, which is a code you can use to verify your identity if you ever lose access to your device. This code can be used only once, and it’s best to save it in your password manager for a situation when you might need it, such as the loss or destruction of your phone.
Setting up 2FA using an authenticator app
Instead of using text messages, some sites support 2FA only in conjunction with a smartphone app that generates codes. A number of apps are available for authentication for both Android and iOS phones. You can choose the app you want to use, and associate it with accounts from a number of different sites. Popular authentication apps include
- FreeOTP (Google Play | iOS App Store)
- Authy (Google Play | iOS App Store)
- Google Authenticator (Google Play | iOS App Store)
Setup is pretty straightforward. FreeOTP, for instance, provides two buttons at the top right. You can click the + button to display fields for manually entering the information for the service you want to authenticate to. However, it’s common these days for a service to provide a QR code in which all the configuration information is embedded. In FreeOTP, you can instead click the button, grant the app access to your phone’s camera, and then simply point your phone at the QR code on your computer screen that’s been generated by the web service during 2FA setup. FreeOTP then configures authentication for your account on that service.
When you next log into the service, you’ll not only need to know your password, but you’ll have to have your phone handy as well. The service will prompt you during the login process to open FreeOTP and enter the code shown for your account.
Note that authenticator codes change every 30-60 seconds. A circle progressively fills to the left of each code to track how much time has elapsed since it was generated. As a code nears expiration, it sometimes makes sense to wait for it to expire before using it to log in, as an expired code won’t work — even if you miss by a second or two.
Using 2FA with strong passwords ensures that not only are your accounts safer from having passwords guessed, but remote attacks on your account become much less likely to succeed.