The concept is simple, you prove who you are when logging into your accounts by proving two things: something you know (your password) and something you possess (your smartphone, as an example). A lot of users have caught on to two-factor authentication (AKA multi-factor authentication, or abbreviated as MFA or 2FA) and it's adding a ton of security to an inherently insecure internet.
Let's be honest, everybody has at least one password they probably know is to easy to guess. Their first name and their street address number, their daughter's/son's name and the last 2 digits of their birthday (with an exclamation point, as if that would help). And even if you're the password generating master, with a complex mental algorithm for each site/account, that password is just one data breach away from being meaningless.
Especially given the magnitude of recent data breach dumps now freely available on the internet (and literally billions of exposed accounts over the years), having a second step of authenticating yourself is just smart.
The short explanation of how the most common implementation of 2FA works is, after you've proven you KNOW the correct info to login to your account, you'll be prompted to show you HAVE the correct thing to also prove it is you. Most 2FA schemes include proving who you are by using something you KNOW (your password), and something you HAVE (a "token", either given or generated, for instance). Although it's technically more complex than that, this is an easy explanation of how 2FA works.
Fortunately, it's SOOO much easier than ever before to use 2FA, which honestly used to be kind of a nightmare. Here we'll go over some methods you can use and pros and cons of each.
SMS (Text Message) Authentication
You've probably already used this method, where you log in, and the service wants to confirm it's you (even though you got the password entered correctly) and you'll get a special code that's valid for a short time. This is the most common way of transmitting this second proof of identity whenever you enable 2FA on many accounts. It's easy, and as long as you have your phone or mobile device, it works well. Essentially you're having a one-time use token generated and sent to you.
The main drawback is that it's somewhat insecure if someone has access to your phone already or if the service allows for this phone # to be changed easily, or worst case scenario, the SMS is intercepted by means of a man-in-the-middle attack or a SIM Port attack.
Authenticator Apps
You'll need a "smart" mobile device for this option. This generates a one-time use token usually on a time interval (say every 30 seconds). You simply download the app from your app store (links for each that we recommend below) and start adding accounts, once they are added, you'll see tokens generated every 30 seconds that you will use as your second factor to login.
Each of the recommended ones here have a backup and restore feature so you can easily keep your tokens secure in case anything happens to your device or if you want to use multiple devices with the same tokens.
Available for Android, iOS, Windows, MacOS, and Chrome
Available for Android and iOS
Google Authenticator
Physical Security Key
These are AWESOME, they are basically a USB/Lightning/NFC-connected token storage device that will automatically generate and enter your token for you for that second part of the authentication. This is by far the most secure option as they use multiple authentication standards, and there's never any way to actually view the code or one-time password, so it can't be intercepted using an "over-the-shoulder peek attack" or other type of eavesdropping attack.
Our favorite example would be the Yubikey 5 NFC which has compatibility for NFC-enbled iOS and Android devices on apps that support security keys, and it works on any Windows, Mac, or Linux computer with a USB Type A port. Yubikey's, in our experience, are some of the easiest security keys to set up, and they're durably built since you'll probably have it on a keychain or kept in your pocket.
If you aren't sure if your Android or iPhone/iPad supports NFC capabilities for encryption, this Yubikey 5Ci is a dual USB-C & Lightning port security key, which can be used in either device on apps that support it.
Now that you know a little bit about MFA/2FA and why it is a good idea, go try it out on any account you have that has any of your personal, financial, business or medical information in it. These are the MOST critical online accounts you should be protecting.
And if you use the same password to log in to any of those accounts (stop that!) also take this chance to change your password, which you really should do regularly as best practice.
There are plenty of other authenticator apps and security keys out there, but these are our favorite that we've used, do you have another recommendation for one that you've loved? Let us know with a comment.
Photo used Courtesy of Flickr user Blue Coat Photos
