What is 2FA?
2FA (2 Factor Authentication) is an extra security step to secure your account. When you log into your account after entering your email and password, your account prompts you to either enter a code sent to your phone or email, select yes on your phone, or enter a special USB key into your computer. This is to allow your account to truly know that it is you.
While it may be an additional hurdle to just be able to log in, it is a very important step. You can do everything else we discussed, but data breaches happen to websites and someone can get access to your email and password and then log into your account. However, having that extra layer of protection allows you to stop them from getting into your account.
You can be altered when someone else tries to enter your account since the 2FA alerts you, then you’ll know that you should go in and change your password. And guess what, since all your passwords are different, there’s no need to go and change multiple account’s passwords.
Different Types of 2FA
The most common 2FA that there is, is usually the default of your account, email verification. Websites usually use this as the default account, however, it isn’t always the most secure way of using 2FA.
The second form is SMS/Text Message verification. You usually have to opt for this form of verification since there may be a cost associated with using a phone number, but since you normally get SMS messages on your phone, most people normally have their phones with them.
- One thing to note is that SIM Swapping can stop this. SIM Swapping is when someone is able to take over your phone number by contacting your mobile provider and pretending it is you and you need a new SIM Card. This is known as Social Engineering and there are people who train to do this.
- Social Engineering is used to “hack” a person. This involves pretending to be someone else in order to get the information they normally should not have access to. The Social part is that this does not involve computers at all, this is making someone else think the way the hacker wants them to think.
The third form is security questions. When you set up your account, you normally have to set up security questions for you to answer in case you need to change your password or are locked out of your account. However, to be very secure, you should actually not be answering these questions honestly. For example, if you choose “What town were you born in?”, you instinctively put the actual answer. However, you should put something completely random and store that answer in your password manager for that specific password.
- By using Social Engineering, I can look up your Facebook profile and see if you put a hometown in your bio, or look you up using a People Finder website that may have that information. It may cost the hacker a few dollars to pay for the info, but if they can make money off of your information, it is worth it to them
The forth form is using an authenticator app like Authy. These apps require more work to set up, but they provide codes for your accounts that change every few seconds. You can have a dedicated device for this method and no one else can use the codes. These apps require a specific secret code to authorize your specific app. Even if someone was able to log into your authenticator app, they would not be able to see the codes, since the hacker’s app does not have the secret code from your account.
The last and one of the most secure ways is using an external USB Key as the authenticator. YubiKey is a key that I personally use for my accounts. I have the key on me at all times. There’s no way to hack it as it is a physical key. Some of these authenticator keys can even store passwords on them in case you need one quickly as well.