For some added security when signing into your high-value service, enable two-factor authentication. It will avoid the pain of having your online accounts hacked.

To make it easier for you, we’ll go through how to set up 2FA and help you decide which accounts need priority first.

Importantly, are you on the verge of a date breach and being so close to having your world turned upside down? Passwords, passwords are the problem, they’re just not robust enough to secure our valuables.

Don’t think for a minute you can fall on the statement “but I have a complex ultra-long password that’s unique. I’m safe”. You may have a password that takes a good 5 minutes to write in, it’s so complex. But it won’t keep your account safe, if the service that stores your password neglect proper password storage. Next thing you know their server is breached and the criminals now know your password. It happens quite often.

Similarly, even if there are pretty good security policies in place such as:

  • Complex password
  • Password changed regularly
  • No reused passwords

Unfortunately, people still are weakest link in the chain. And that’s due to social engineering. Social engineering can fool even the most intelligent people, tricking them to give up their credentials on a phishing site or even over the phone.

So, what’s the solution? It’s two-factor authentication, or 2FA for short. Others call it multi-factor authentication or two-step verification.

In a  2019 report from Microsoft, it found that 2FA really works. It blocks a huge 99.9% of automated attacks and that’s impressive. Even a separate report from Google offered similar conclusions.

So, Microsoft recommends using it, if a service provider supports multi-factor authentication, even if the basic form of a one-time passwords through SMS.

This article will help to answer some of those common questions about 2FA.

HOW DOES 2FA WORK? ISN’T IT INCONVENIENT?

By switching on 2FA, the security requirements change for that service. As a result, at least two proofs of Identity need confirmation when accessing a secure service for the first time from an unknown device. So, once you tick the device can be trusted for 30 days, 2FA requests are only a monthly requirement if you use the same device regularly.

The two forms of authentication can come from any combination of:

  • A password or pin number
  • Fingerprint or other biometric ID
  • Your phone that generates or receives codes, or a hardware- based security device

In general, 2FA systems you see today use the first option (your password) and the last item (your smartphone). The use of smartphones is an easy choice as most people have one.

So, the smartphone comes in handy by acquiring a code. This happens in one of two ways. Either sent as a text message from the service or from an app such as google authenticator.

Below is an example of 2 step-verification (2FA)

Let’s say this sign-in request were from a person who had stolen my Google account credentials, they’d couldn’t go any further. They can’t continue the sign-in process without that code sent via text or google authenticator on my phone.  

Certainly, most services support 2FA and offer a choice of authentication options. For example, both Google and Microsoft can push notifications to a trusted device. To approve the sign in you just tap the notification. While a number of services, are choosing to use hardware security keys.  For instance, “YubiKey hands-on: Hardware-based 2FA is more secure, but watch out for these gotchas.”

In addition, most services offer backup recovery codes which you can print and store in a safe place. If for some reason your secondary authentication is offline, say your smartphone is lost or stolen, you can rely on the recovery code.

WHICH AUTHENTICATION METHOD IS BEST?

I recommend using an authentication option that you like. As long as it has two options like we’ve explained either, the less risk of being locked out of your own account.

But most importantly, chose to use an authenticator app rather than codes via text message when you can. For good reason. Firstly, due to weak mobile coverage you can use the internet but can’t receive text messages. Secondly, there’s a slim chance an attacker will break their way through your mobile carrier’s defences to acquire a SIM card with your phone number. It’s called “SIM-jacking”

Available for both iOS and android, the popular 2FA app Google authenticator. But there are plenty of others on the market. And in fact, some people use multiple authentication apps. One of the alternatives is  Microsoft Authenticator. It’s capable of receiving push notifications

Firstly, from personal and business accounts on Microsoft’s platforms. In addition to 1Password, which integrates 2FA support into the same app that manages passwords.This makes for a seamless sign-in.

The other one to consider is the third-party app Authy. This app allows you to manage authenticator codes on numerous devices coupled with the ability back- up and restore account settings. For more details see “Protect yourself: How to choose the right two-factor authenticator app.”

During the initial configuration when setting up an account, your authenticator app only requires a data connection. Once it’s set up everything happens on your device. Your authenticator is governed by an algorithm called Time-based One-Time Password (TOTP).  In other words, the online service has it’s own timestamp with the generated codes to compare against what you enter.

HOW DO I KNOW WHICH SERVICES SUPPORT 2FA?

2FA is fairly- commonplace today, compared to a decade ago. So, many services offer 2FA. For instance

  • Google accounts both consumer Gmail and business GSuite accounts – offer a wide range of 2FA options.
  • Microsoft accounts including the free outlook.com accounts, Xbox, Skype, all support a range of authentication options. Also, the business accounts like Azure Active directory used with Microsoft business and enterprise services, including Microsoft 365 and Office 365.

And 2FA support is widely available on social media accounts like Facebook, Instagram, Twitter and the like. So, we can surmise any service that is worth considering supports 2FA. Other domain registrars like Go daddy, and web hosting companies that are worth our consideration also support 2FA. If you’re unsure if the service you want supports 2FA, the best place to check is open source information repository called the Two Factor Auth List. It might be worth looking for a different service provider, if it doesn’t support 2FA or switching if you’re already with that service.

WHICH SERVICES SHOULD I PROTECT FIRST?

  1. Password/identity managers Consider using a password manager to make sure your passwords are strong, and unique for each service. Then add in 2FA and your secondary defence.
  2. Microsoft and Google accounts both services support 2FA and it’s really important for these accounts. It’s also easy to do.
  3. Email accounts if those threat actors are able to take over your account, they can do a lot of damage. And that’s because your email is a way that providers send your password reset links. In addition, fake messages sent from a compromised account can then go on to a try to fool friends and co-workers. For instance, sending malware-laden attachments.

But whether you use Outlook.com, Exchange Online, Gmail, or G Suite, your email account uses the identity verification method associated with your Microsoft or Google account. However, you will need to set up 2FA separately, if you use a different email service.

4. Social media accounts. Similar- to email, a big risk associated with a hacked social media account like Twitter or Facebook, is that it will be used to target your connections. Friends and family. Most importantly, you should protect these accounts, even if you don’t post on the site regularly.

5. Banks and financial institutions When it comes to back-end fraud detection programs the majority banks and credit card companies have made significant investments. And this is why 2FA options are typically limited compared with other categories. Nevertheless, it’s worth investigating your banking settings and tightening them as much as you can.   

6. Shopping and online commerce Any site where you’ve saved a credit card number should be secured.

HOW DO I SET UP 2FA?

If you’re not that technically minded, don’t worry setting up additional security requires minimal tech skills. All you need to know is how to use a smartphone camera, type a pin and tap OK. So that’s about as technical as it gets. However, you will need to find the page that enables you to change your settings.

Firstly, if you’ve opted to receive SMS messages, associate your mobile phone number with your account.

If you prefer you can use a virtual phone line, like a Google Voice number, that can receive SMS messages. whenever you sign in on an untrusted device, the account will send a code to that number. But you have to configure it that way initially. For example, this is what it looks like when you set it up on Twitter.

Setting up 2FA on a Twitter account (SMS Message)

Step 1 – Firstly, requires you to first re-enter your password

Step 2 – then enter the phone number where you want to receive authentication codes.

Once the process is completed, you’ll receive a code on that device.

Step 3 – Enter the code to confirm you received it

2FA setup is complete.

Twitter will automatically provide a recovery code at the end of this setup process

Step 4 – Print it out and file it in a safe place.

You’ll need this in the event your primary 2FA method no longer works.

Setting up 2FA with an authenticator app

Step 1 – you need to install the app on the mobile device you want to use as your second authentication factor

  • iOS device, you can get the Google Authenticator or the Microsoft Authenticator app from the App Store.
  • On Android devices, install the Google Authenticator or the Microsoft Authenticator app from the Google Play Store.
  • Authy is also available from the App Store and from the Google Play Store.
  • If you use the LastPass password manager, consider installing the LastPass Authenticator app, which is designed to work with the LastPass app on mobile devices and the desktop.
  • If you use 1Password as your password manager, 2FA support is built into the 1Password app on all platforms. For details on how to use the One-Time Password feature, see this 1Password support page.

Once you’ve successfully installed the app for your device,

Step 2: set it up to work with each account where you have enabled 2FA. 

Step 3: The setup process typically requires that you enter a shared secret (a long text string) using the mobile app. 

Step 4: using a smartphone camera to take a picture of a QR code, which contains the shared secret for your account

Here’s an example for Dropbox

Step 5: In your authenticator app, choose the option to add a new account, choose the bar code option, aim the smartphone at the bar code on your computer screen, and wait for the app to fill in the necessary fields.

It begins generating codes based on the shared secret and the current time, after you set up the account in the authenticator app.

Step 6: To complete the setup process, enter the current code from the authenticator app.

Remember if you try and sign in from a new device or web browser that’s when you’ll need to enter your current code displayed on the authentication app.

Your normal password won’t work anymore, if you use older email apps that don’t support modern authentication with an account that’s protected by 2FA. So, for use exclusively with those apps, you’ll need to generate special passwords. Your account security settings should guide you through that process. However, maybe you should consider replacing it, if you are using an old app that requires an app password.

You should also generate one or more recovery codes, as part of the 2FA setup process. And remember to print out and store in a safe place. As said earlier, it allows you to regain access to your account in the event your smartphone is lost or damaged.

HOW DO YOU TRANSFER 2FA ACCOUNTS TO A NEW SMARTPHONE?

No need to worry if you purchase a new smartphone, transferring your number to the new phone will seamlessly transfer your 2FA setup too. If you use SMS text messages as a second factor for authentication.

1Password and Authy apps for instance, allow you to generate codes on multiple devices.  

Firstly, set up the app on the new phone, install the app, sign in, check each account to ensure the codes generated work on the new phone work properly. Make sure the time is correct. With Microsoft Authenticator you can “Back up and recover account credentials using the Microsoft Authenticator app.” 

Whereas, you’ll need to manually re-create each account on the new device for Google Authenticator and other type apps. Follow the steps to setting up 2FA with an authenticator app on your new device. Repeat the setup for every account you used with your old phone.

Once you set up an account on a new authenticator for your new smartphone, the old device no longer generates codes.

2FA is very good at stopping attacks before anything can happen. But it’s not foolproof. If someone really wants to get into your account, and you’re targeted, they’ll find a way. At least with 2FA you’re adding a layer of security and the attacker will need enter via another avenue. Such as hijacking the email account used for recovery or by redirecting phone calls and SMS messages to a device he controls. On the other hand, if someone really wants to get into your account, you’ve maybe got a bigger issue.

Certainly, I recommend adding in 2FA to your accounts for that secondary layer of security. Better to have a deadbolt on the door than to leave the door partially opened.