Two-factor authentication explained: Why you should enable two-step security
Passwords can be a real problem. We’re asked to create so many of them that most of us re-use our memorable favourites, which makes them substantially less secure. Lengthy and complex pass strings, however desirable, are very much in the minority.
Two-factor authentication (2FA) uses a combination of something you know (your password or PIN) and something you have (a hardware token) to add another security layer into the authentication process. Unfortunately, ‘true’ 2FA costs rather a lot of money to both implement the system itself and to distribute those hardware devices to every user. This is especially true when you are talking about free online services such as Facebook, Twitter, Gmail or Dropbox, which have millions of users.
A better name for this security feature is two-step authentication (2SA). Today, two-factor authentication and two-step authentication are used almost interchangeably when talking about securing online accounts, and the name differs depending on what service you’re talking about. At its most simple, they effectively mean the same thing and both refer to adding an extra layer of security to your online world. A lot of the time, this will involve being sent a passcode to your smartphone.
With two-factor authentication enabled, you log in to your account by entering your username and password as normal. The site will then prompt you to enter a code that is either emailed to you or sent to your phone by text message. This one-time code, or one-time password (OTP), is only valid for a limited time, usually no more than five minutes, and can only be accessed by someone with access to the email address or phone.
Although such 2FA-by-SMS systems have their weaknesses, they undoubtedly add additional strength to the login process. Generally speaking, the reason people give for not making use of optional two-factor authentication systems is the annoyance factor. We’re in a want-it-now society, and nowhere is that lack of patience more apparent than online, where web developers will happily recount tales of research into the short attention span of users.
This is reflected in those who would rather sacrifice security than wait mere seconds to receive a one-time password on their smartphone to type into an authentication box. Indeed, with most two-factor authentication implementations allowing some degree of user configurability, it’s also reflected in people who would rather opt to ‘ask me for a code every 30 days’ than ‘ask me for a code every time I login’.
Here’s the thing, though: think how much time it would take you to recover your Facebook account should it get hacked and someone change the password; think how inconvenient it would be if your email account was used to change the passwords on other services that send a ‘change request confirmation’ to it. Now think how annoying it is, relatively speaking, to enter that one-time SMS password.
How to switch on two-factor authentication
The method for enabling two-factor authentication depends on the site you’re trying to secure. Here’s a set of guides to some of the most popular platforms.