Passwords can be a real problem. We’re asked to create so many of them that most of us re-use our memorable favourites, which makes them substantially less secure. Lengthy and complex pass strings, however desirable, are very much in the minority.
Two-factor authentication (2FA) uses a combination of something you know (your password or PIN) and something you have (a hardware token) to add another security layer into the authentication process. Unfortunately, ‘true’ 2FA costs rather a lot of money to both implement the system itself and to distribute those hardware devices to every user. This is especially true when you are talking about free online services such as Facebook, Twitter, Gmail or Dropbox, which have millions of users.
A better name for this security feature is two-step authentication (2SA). Today, two-factor authentication and two-step authentication are used almost interchangeably when talking about securing online accounts, and the name differs depending on what service you’re talking about. At its most simple, they effectively mean the same thing and both refer to adding an extra layer of security to your online world. A lot of the time, this will involve being sent a passcode to your smartphone.
Two-factor authentication
With two-factor authentication enabled, you log in to your account by entering your username and password as normal. The site will then prompt you to enter a code that is either emailed to you or sent to your phone by text message. This one-time code, or one-time password (OTP), is only valid for a limited time, usually no more than five minutes, and can only be accessed by someone with access to the email address or phone.
Although such 2FA-by-SMS systems have their weaknesses, they undoubtedly add additional strength to the login process. Generally speaking, the reason people give for not making use of optional two-factor authentication systems is the annoyance factor. We’re in a want-it-now society, and nowhere is that lack of patience more apparent than online, where web developers will happily recount tales of research into the short attention span of users.
This is reflected in those who would rather sacrifice security than wait mere seconds to receive a one-time password on their smartphone to type into an authentication box. Indeed, with most two-factor authentication implementations allowing some degree of user configurability, it’s also reflected in people who would rather opt to ‘ask me for a code every 30 days’ than ‘ask me for a code every time I login’.
Here’s the thing, though: think how much time it would take you to recover your Facebook account should it get hacked and someone change the password; think how inconvenient it would be if your email account was used to change the passwords on other services that send a ‘change request confirmation’ to it. Now think how annoying it is, relatively speaking, to enter that one-time SMS password.
How to switch on two-factor authentication
The method for enabling two-factor authentication depends on the site you’re trying to secure. Here’s a set of guides to some of the most popular platforms.
- How to switch on two-factor authentication on Facebook
- Two-factor authentication on Twitter
- Windows 10 adds two-factor authentication to every device
- Enable Google’s two-factor authentication
- Activate two-factor authentication on Gmail
The problem with 2FA
Google rightly insists that two-step authentication adds an extra layer of security to Gmail, but it’s wrong when it claims hackers would need to ‘get hold of your phone’ as well as your password in order to access your account.
SMS one-time passwords (OTP) are vulnerable to man-in-the-middle (MITM) attacks because they are what is known as an ‘insecure out of band method’, and the sender of that OTP can’t know for sure that the real user has possession of the handset to which it is being sent.
While 2SA does provide welcome added security, it isn’t foolproof; you should still implement security smarts
In the case of 2SA, the “something” you have could actually be something someone else has (a thief) or something someone else has access to (a MITM attacker). The MITM attack needs you to have first been lured to a fake website that has cloned the real deal, into which you enter your login credentials. The clone site will often ask you to enter them again, claiming they were entered incorrectly. This isn’t seen as suspicious as we all make typos, but actually, the clone site is just playing for time while it contacts the real site with your credentials. The real site will then send the OTP to your smartphone, you’ll enter the generated code into the clone site and the hacker will enter it into the real site.
Still with us? Good, because your account will now have been compromised. More time will be played for by displaying some error message or other, during which the hacker will either make a transfer from the account, change the password or do whatever they need to make a profit from the attack.
So while 2SA does provide welcome added security, it isn’t foolproof. This means that you should still implement security smarts by not re-using the same passwords on multiple sites, not clicking first and thinking later, and making use of security tools to alert you about potential URL misdirections.
The next step
Various services use their own two-step authentication methods, but most follow a similar pattern. To see for yourself how it works and how to set it up, follow our tutorial on how to set up two-step authentication in Gmail.
Related Posts
How to Enable (or Disable) Two-factor Authentication on Facebook
How To Turn Enable/Disable Two-Factor Authentication (2FA) for Gmail
How to Turn Off Two-Factor Authentication on Instagram
Chrome Hardware Acceleration Explained
How The Valorant Ranking System Works – Rankings Explained
How To Fix Instagram Not Sending the Security Code
How To Fix WhatsApp Not Sending Security Code
Can’t Take Screenshot Due to Security Policy—Try These Fixes
How to Enable Dark Mode on Facebook
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
