What Is 2FA and Why You Should Care
We’re continuing our new series of interviews with Clario security experts to offer you the latest essential tips and advice on staying safe online.
This time, we’ll talk about 2FA, or two-factor authentication, and its importance, especially in times as uncertain as these. No one knows for sure how the COVID-19 pandemic will affect our digital rights, but activists are already concerned about governments using the coronavirus as a way to invade our online privacy.
We interviewed our CIO, Aleksandr Maklakov, on how 2FA works and why setting it up at the right time can make sense to protect both your finances and mental wellbeing.
So tell us, what is multi-factor authentication or MFA?
There are three factors of authentication involved:
- Something I know
- Something I have
- Something I am - so can be a biometric, voice or retina scan
A combination of any two of these three factors is called two-factor authentication, or 2FA.
For example, take contactless payments. If you want to pay with your phone, you have to unlock it first. Here, the first factor is something you have - your phone. The second factor is the PIN or biometric scan you use to unlock your device.
And has 2FA ever saved you from a security breach?
Oh, absolutely! My personal email has been attacked quite a few times. At least once a year, Google warns me someone has tried to log into my email account. But I have 2FA enabled on all my accounts, so I have nothing to worry about.
I strongly recommend everyone set up 2FA as soon as possible, especially for your email. After all, your email account is the entrance gate to the fortress of your digital security. You have to put extra effort into protecting it.
If cybercriminals get access to your email, they can access all the accounts you’ve logged into when using it. The easiest way for them to break into these accounts is by clicking the Forgot Your Password button, then follow the Reset password link in the email the service sends you.
What are the most popular 2FA methods?
I’d say it’s the combination of a password and the second factor - your phone or a one-time password (OTP) that is valid for up to 60 seconds.
But passwordless authentication (when you have to confirm your login via your smartphone or another device) is becoming popular. You enter your password on one device, and you receive a push notification on another one. You then have to click on this to log in.
Are there any types of 2FA thought to be either the most or least secure?
Using SMS for 2FA has long been considered unsafe for a couple of reasons. Firstly, text messages are sent through insecure channels. Secondly, it’s very easy to intercept them.
In fact, anyone can buy specialist equipment for as little as 300 US dollars, drive up to a cellular tower, and use this technology to intercept all text messages. In addition, texts can be read via malicious applications, which can be installed on your mobile phone.
Security keys offer the most secure 2FA. The keys, inserted in a USB port, connect with your phone or computer through Bluetooth and generate a special random key combination. To date, this type of authentication is deemed the most secure.
This certainly seems secure. But does every account need this kind of protection?
Not exactly. But if we’re talking about personal usage, there are types of accounts where 2FA is critically important:
- A password manager
- Social media profiles
- Bank accounts
What do you do when the second factor is your phone, and it’s dead, there’s no service, or you just don’t have it on you?
2FA can certainly give you a headache when you travel. Lots of services will detect you’re trying to log in from an unfamiliar location, so they will try to verify it’s really you. But you may have no mobile internet or be unable to receive a push notification.
What if you lose your second factor?
It depends on the service, and that’s when things can get complicated. For instance, Google Authenticator doesn't sync between multiple devices. So, if you lose your phone, you have to somehow restore all your passwords and associate them with your accounts all over again.
Google and Facebook give you lists of 10-12 backup codes you can print out and physically keep in a safe place. If you indicate that your second factor is not working, they will ask you to enter a code from the list.
Google also provides alternative authentication methods - a telephone call or a text message - which can only be used once. Still, you can use your alternative email for recovery.
What is the easiest and the fastest way to set up 2FA?
That would be to choose a safe password and set up a One Time Password (OTP), which is used everywhere nowadays. I recommend against using text messages, as they’re considered insecure. The easiest option is to use an OTP along with an authenticator app like Google Authenticator.