A strong password is still essential to keeping your accounts secure, but it’s not always enough. Even if you have a highly-secure password, it can be compromised in a data breach. That’s when two-factor authentication (2FA) can save the day. With 2FA enabled, your user name and password are not enough for a hacker to access your account. Anyone trying to log into your account would need to provide an additional means of verifying your identity, like a one-time use PIN delivered via an app, text message or email, a physical device that generates a passcode or a biometric device.
Facebook, Google, Twitter, banks and password managers are among the many services that encourage users to protect their accounts with two-factor authentication – but uptake isn’t high, even among the tech-savvy. Only 10% of Google users, for example, make use of this free feature.
Cybersecurity experts agree that enabling two-factor authentication is a crucial part of online hygiene that makes accounts more difficult to hack. “Two-factor authentication puts one more layer of defense between an attacker and your personal data, ensuring that you are not viewed as an easy target,” saysBrian Anderson, a security expert at Kaspersky Lab North America.
However, not all two-factor methods are equally secure.
Good two-factor authentication: code texts and emails
Once the bulwark of tech-savvy cybersecurity, SMS authentication has been increasingly exposed as vulnerable to scammers. “If you leverage SMS or email as your second method of authentication, it’s possible for attackers to intercept the authentication code and log into the targeted account,” says Anderson. Network vulnerabilities can allow hackers to intercept calls and text messages containing 2FA codes, as occurred in a breach of Reddit that exposed users’ email addresses and a 2007 database of passwords.
Phishing attacks are also more likely over SMS or email, where scammers trick users into handing over their logins through a link, email or text designed to look like a legitimate service. As Amnesty International reported, an easy-to-use attack prevalent in North Africa and the Middle East goes like this: While users are logging into the fake site, attackers capture their login and use it for the real site, thereby triggering a genuine 2FA code to be sent to SMS or email – which the user inputs into the spoof site.
Researchers have uncovered a new tool that would allow scammers to create more convincing phishing sites by feeding content from the genuine site into the spoofed version. “2FA phishing isn’t new – it’s just easier than ever now thanks to an open source toolkit that helps you do it,” says Paul Duckin, Senior Technologist at Sophos. “The author says it’s for testing and research purposes only, but he has no way to stop the crooks using his code too.”
Better two-factor authentication: authenticator apps
Rather than receiving a message that can be intercepted, generating codes on a device that’s with you largely keeps those codes out of hackers’ reach. That’s where authenticator apps come in. The likes of Google, Microsoft and password manager LastPass have developed their own authenticator apps which work with any platform or service that supports 2FA.
These apps can be synced with various platforms in your accounts’ settings when you enable 2FA. At this point, you’ll be asked to scan a QR code that automatically adds the account to your code-generating app. Both Google Authenticator (Android/iOS) and Microsoft Authenticator (Android/iOS) are easy to set up – but if you use Outlook, Microsoft Authenticator is the slightly better bet. You can take advantage of logging in to Outlook without a password, you authenticate by simply tapping a confirmation in the app.
If you want a few extra features, Authy (iOS/Android) will back up your synced accounts so that if and when you upgrade your phone, you’ll only need to download Authy again to be all set up with your 2FA (whereas Google and Microsoft require you to re-sync all the accounts you want 2FA on).
Whichever you pick, the apps work the same way – by generating six-digit codes that refresh every 30 seconds or so, reducing the likelihood of these codes being scraped and reused. And, authenticator apps generate codes regardless of whether you’re online, which is handy if you’re out of reception or roaming.
The only downside comes if you lose or forget your device. Once 2FA is enabled, many accounts may by default require a 2FA code to log in every time; corporate accounts may require it for security – and forgetting your phone means being locked out of these accounts.
Best two-factor authentication: authenticator keys
While authenticator apps are better than codes sent via text message or email, they aren’t totally invulnerable. Phishing attacks, for example, could potentially steal 2FA codes if users are lured to spoof sites to enter a code and the attacker is able to capture and use the code before it’s refreshed. While an unlikely scenario for the average citizen, activists, politicians or others whose communications are targeted may need tougher security.
In this case, it’s time to ramp up to an authenticator key, a physical device that plugs into a computer’s USB port or communicates via NFC with a phone to authenticate logins.
One of the most popular is Yubico’s YubiKey 5 NFC is $45 on Yubico (check price on Amazon), a thumb-sized key that once registered instantly works as a second-factor for dozens of services. It can also be tapped against NFC-enabled smartphones (which includes all Android phones) for authenticating logins on smartphones.
“Newer 2FA standards based on special hardware devices like YubiKeys provide extra resilience by using cryptographic techniques to prevent someone else from re-using a code that you typed in,” Duckin says. “If a crook tries to phish your code, it almost certainly won’t work if they then try to use it from their computer.”
For example, YubiKeys need to be tapped before each authentication, in order to verify the user isn’t a remote hacker.
An alternative is OnlyKey ($46.00 on OnlyKey.io, check price on Amazon), which comes with a password manager that stores up to 24 accounts in its offline storage, and unlimited accounts if used with a software password manager. Plug it into a computer during a sign-in and it automatically fills in the relevant login. This additionally protects passwords from keylogger malware that might be covertly installed on sites.
Whatever method you choose, turn on two-factor authentication
Experts agree that it’s important to enable 2FA on your online accounts, whether it’s through SMS, email, app or a physical key. You may find some services only offer SMS second-factor authentication, but “don’t let [the potential for phishing] put you off. 2FA is there to provide an extra hurdle that crooks have to jump over, without removing any hurdles you already have in place,” Duckin says. You can find a list of sites that support 2FA at Two Factor Auth.
Whichever method you use, remember 2FA isn’t a security silver bullet that can override a weak password or hold off an especially interested hacker. Kaspersky Lab security software blocked more than 137 million attempts to visit phishing pages in Q3 last year, an increase of 30 million over the previous quarter. “As more people use 2FA, we could see cybercriminals attempting more sophisticated social engineering techniques or other methods to try and bypass this security mechanism,” Anderson says.
The good news, however, is that the crooks still need to entice you to a bogus website first, says Duckin. Don’t rush logging in, and be extra-wary of emails, messages or pop-ups that lead to external web pages. When entering your login or code online, always check the browser address bar — is the address the one you expected to go to?
Finally, you have another great reason to use that other must-have security feature, a password manager: Not only will it generate and save your hard-to-crack logins, but in case of phishing, your password manager will alert you that the website you’re on isn’t the one you usually use, because it won’t contain a login for the scam site’s URL.