5 things you should know about two-factor authentication

Here are the basics to help you stay secure online

One of the best pieces of security advice any computer expert can give you is to enable two-factor authentication for websites that support it. With password breaches so common nowadays, it could be the one thing that keeps hackers from stealing your identity online. Here are five points to help you understand this technology.

Two-factor authentication or two-step verification?

A lot of people think they're the same thing, but that's not really accurate.

There are three types of authentication factors: something you know, such as a password or PIN; something you have, such as a mobile phone or a special USB key; and something you are, such as your fingerprint or other biometric identifier.

While two-factor authentication combines two different factors, two-step verification uses the same factor twice, for example a password and a one-time-code sent via email or SMS.

You might think a code sent to a phone qualifies as a second factor, since the phone is something you physically have, but SMS is insecure and the code can be intercepted. From a security risk perspective, that makes it similar to a password.

While two-factor authentication is more secure than two-step verification, both are better than relying on a single password. So regardless of which one is on offer, take advantage of it.

One account that rules them all

If there's one online account that's worth protecting above all others, it's your email. That's not just because it contains your private conversations, but because it serves as a gateway to your other accounts.

Most online services ask users to sign up with email, and rely on that to reset passwords and send important communications. An attacker with access to your email can search for old registration emails and find out where you have accounts online. He can then reset passwords and communicate with technical support staff at those websites.

Start your adoption of two-factor or two-step authentication by turning it on for your email. All the large email providers including Gmail, Yahoo and Outlook offer this.

I did that, now what?

If you're using a password manager, make that your next priority. The most popular password managers have a two-factor authentication option.

Then enable it at other sites. Many popular services support two-factor authentication, including Facebook, Twitter, Apple ID, iCloud, Amazon, PayPal, LinkedIn, Snapchat and WordPress.com. Mobile identity provider TeleSign has set up a website at www.turnon2fa.com with detailed tutorials for enabling two-factor authentication at many of those services.

To trust or not to trust

Most websites that support two-factor authentication allow users to mark devices as trusted when they authenticate for the first time using both factors. This essentially disables two-factor authentication for those trusted devices, and allows the user to authenticate with only their password in future.

This is good for usability, but it's not great for security. If you turn off two-factor authentication for a trusted device, you can make it easier for hackers to access your accounts, so you should be aware there is a trade-off.

Read more: 'Businesses must work harder to be seen as digitally trustworthy in the eyes of their customers'

There's also the fact that if you lose your phone or computer, you can't be certain that the thief won't find some way to unlock it.

Fortunately, most websites give users the option to remove any of their previously trusted devices in case they are lost or compromised, so keep that in mind.

Do I risk locking myself out?

In most cases, your phone will be central to your two-factor authentication experience. It will be used either to receive codes by SMS or to generate them using special apps like Google Authenticator. But phones are easily lost, stolen or broken.

The good news is that most online services have contingency plans for those scenarios. Some companies allow users to specify a backup phone number that can be used for account recovery. Others provide backup codes when turning on two-factor authentication that can be printed on paper and kept in a safe place.

If these options fail, you will most likely have to call or email the company's technical support department and prove the account is yours, for example by providing information about the account that only you would know. Either way, getting completely locked out of an account is extremely rare.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitytwo factor authentication

More about AppleFacebookGooglePayPalTwitterYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place