Two-Factor Authentication: Securing your Digital Life (Part 2)
Enable Two-factor authentication on your accounts now! In the second part of our three-part series on securing your digital life, we discuss the importance of two-factor authentication, its role in protecting online accounts, and some key security considerations to remember when choosing your second factor.
Introduction
Two-factor authentication (2FA) is critical to account security as it allows users to create extra steps or layers of authentication on top of a traditional password.
Unfortunately, I commonly hear clients describe this extra step as "annoying", "too hard", "inconvenient", and "complicated".
We will discuss why you should protect your accounts with two-factor authentication and how to reduce friction or pain points when setting it up.
What's wrong with just a password?
If you just finished my article about password managers, you're now generating secure passwords for your accounts. So why do you need two-factor authentication?
You're off to a great start, but not out of the woods yet. There are many ways to steal a password, which makes them less secure than many think. Something as simple as someone watching you type in a password while at a cafe. This is called shoulder surfing.
We also blindly trust the companies we give our passwords to to do the right thing and store them properly. I have (on more than one occasion) been emailed my password in plain text, just in case I wanted to save it. With one well-executed attack, all of those mishandled passwords could be out in the public for anyone to use.
Even more embarrassing is copying your password from your password manager and accidentally pasting it somewhere it shouldn't go. I have definitely sent a password or two in an accidental Teams chat or SMS.
Having two-factor authentication doesn't stop these things from happening, but it does prevent people from accessing your accounts if your password is leaked.
What is 2FA?
If we break down the term two-factor or multi-factor (as it's also known), we are interested in authentication factors. You can enable extra factors on your accounts; think of these as extra pieces of evidence you must supply before you can access an account or service.
Each account might allow you to configure a range of factors. They can be grouped into the following categories:
- Something you know - Describes things like passwords and PIN codes.
- Something you have - Describes a device like your phone, a security key like a Yubikey, or even a swipe card for a door.
- Something you are - Describes attributes tied to you as a person, like your retina or fingerprints.
While any of these factors might not be considered secure on their own, together, they significantly increase the security of your account.
If you consider a real-world scenario like opening a bank account or applying for a loan, it's not enough to say "I'm Bob"; you also need to provide several other factors like a birth certificate, bank statements, etc., to prove you are who you say you are.
One-time Passwords (OTP)
Most people have probably encountered this type of two-factor authentication. You sign in with your password and are prompted for a code to complete the sign-in process.
This code can be retrieved from a physical authenticator device, a mobile app, or even via SMS or email.
One-time passwords work well because, as the name suggests, each password can only be used once. They can also be time-sensitive, which adds a further layer of security.
OTPs, how they work, and how they are generated on a cryptographic level are interesting topics worth reading but are outside the scope of this article.
A note about SMS
Possibly the worst of the additional factors, SMS two-factor authentication should only be used when you have no other options. Sending authentication codes over SMS leaves you susceptible to SIM swap attacks.
This is where an attacker can contact your mobile carrier and impersonate you to get a new SIM card issued.
This allows an attacker to steal your phone number and intercept any codes sent to your number.
Even changing your phone number (on purpose) without realising the implications could prove devastating if there's no other way to access your account.
Using SMS also makes it hard to share your codes with others, like within an organisation.
2FA in your password manager
Storing OTPs in your password manager is a great way to securely share credentials with members of your organisation, partner or spouse.
It reduces the friction associated with setting up 2FA on your accounts because you only need access to your password manager.
Some people have argued that storing your 2FA codes in your password manager is a bad idea because both factors are stored in the same location.
My counter-argument would be that your password manager should also have 2FA enabled (you'll need to use a separate app or key), so if someone manages to access your master password and 2FA code, you have much bigger problems.
Wrapping Up
Passwords are no longer secure enough to keep your online accounts safe.
Enable two-factor authentication anywhere and get peace of mind knowing that you've given the bad guys another hoop to jump through to access your accounts and data.
Multi-factor authentication is a vast topic, and I have only scratched the surface of its topics, implementations, limitations and usages.
Can I help?
If you need help setting up a password manager or want to discuss something else, please don't hesitate to contact me.
Sources
https://en.wikipedia.org/wiki/SIM_swap_scam
https://en.wikipedia.org/wiki/Authenticator
https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)