Online security can feel a bit like an arms race sometimes, and it may seem like there’s always something new to keep track of. But many of the more tried-and-true security principles and methods have been around for a while, they just take a while to become more mainstream.
One of these methods is called “two-factor authentication,” a rather jargon-y sounding phrase for something that’s actually pretty simple and can help secure your information online in a big way. But if the phrase “two-factor authentication” sounds like something that doesn’t concern you – or like something you could never figure out – I assure you that’s not the case, no matter how tech-savvy you are (or aren’t).
(If you’re looking for a technical discussion of how 2FA works in depth, I heartily recommend Chester Wisniewski’s 2FA article here.)
Two-Factor Authentication, in a teeny tiny nutshell
Put simply, two-factor authentication is when you prove who you are to a website or service using two out of the three things below:
- Something you know — like a password
- Something you have — like a numerical key code
- Something you are — like a fingerprint
Colloquially, what many people mean when they say “two-factor authentication,” or 2FA, is when a website asks you to type in a code after you’ve already entered your password.
It’s very likely you’ve encountered 2FA quite a bit in your life already. Many of us who’ve worked in the corporate world at some point have carried a small key fob or token with us, and typed in the displayed numbers when logging in to a core work system.
Similarly, if your favorite shopping or banking website has been asking you to verify your identity by typing in a numerical code SMSed to your mobile number, that’s 2FA at work.
Why isn’t a password enough? And what about security questions? How many more factors do we need?
Security works in layers. Think of a medieval castle – these castles never relied on just one thing to protect them. They were built in naturally defensible locations, and had strong doors, drawbridges, high towers, heavy stone walls, and more.
Even if one of these protective factors failed during an attack, the castle had many other features in place to keep up its defense.
The same idea applies when it comes to keeping your information safe on websites and applications you use every day. Cybercriminals are always thinking of new ways to try to obtain sensitive information, so in defense we make sure we have more sophisticated measures in place to stop them.
2FA is an additional layer of security on top of man existing methods such as passwords. The more layers of defense in place, the harder a bad guy has to work to get at your information. (And with so many other easier targets in place, s/he may decide you’re not worth the effort.)
In other words, adding another factor reduces the risk of someone trying to pretend they’re you and access your information without your consent. But no, this method isn’t foolproof and it doesn’t guarantee complete security – a major provider of two-factor authentication key fob tokens was famously hacked back in 2011, and there have been some attacks recently that use fake 2FA verification messages – nothing can completely eliminate risk, unfortunately. But it is certainly more secure than using just a password alone.
How do I use 2FA on websites and services I visit?
Many popular websites – like email, shopping and banking – often already have 2FA available to use. (And if you don’t log in to the website at all and don’t have an account there, you don’t need to worry about 2FA!)
Each website has its own process for enabling 2FA on your account, but generally the first step is to log in to your account on the site, go to a settings menu, and look for a “security” area. For the most part, this process will require you having your phone handy as you will need to register it to your account and verify that you own the phone, usually by typing in a code that’s texted to you.
In other cases, the website may ask you to download what’s called an authenticator app – it will tell you specifically which one, as there are many – and then type in a numerical code generated on the app.
(If you need a bit more guidance on how to set up 2FA, we’ll have a number of guides published shortly for major web services that will walk you through it, step by step.)
All that said, 2FA isn’t ubiquitous yet. So there is a chance a website you use doesn’t have it.
One resource I like to use to check if 2FA is available is the Two Factor Auth List, which lists a lot of commonly-used websites and whether or not 2FA is available there. (And if your site of choice doesn’t have 2FA yet, the list has a handy button to tweet at the site to encourage them!) While the number of sites supporting 2FA is growing, we still have a way to go.
I hope this helps shed a bit of light on 2FA and how it can help keep your accounts out of the wrong hands. Are you going to give it a try?
Bryan
Good castle metaphor, but you didn’t mention alligators in the moat–which of course can reach the sewers from there. It’s how they work their shifts.
Reader
I can’t figure out how to activate 2FA on eBay. Can you please walk me through the process?
Paul Ducklin
We’re planning a follow-up series on individual 2FA systems…not sure if eBay is one, but we’ll take your comment as a vote :-)
mr a roddis
I use two step verification on Pay Pal and G mail, before I can log in I get a code by text to my phone.
Abbe Sillie
Make sure not to bring in biometrics forthe two-factor schemes.
It is now getting known that the authentication by biometrics usually comes with poorer security than PIN/password-only authentication.
2FAwhere
Good post, but as Sophos you are endorsing the additional security of 2FA while not supporting it in your products. For example, Sophos Home does not have 2FA. If a hacker has your username/password they can disable Sophos antivirus on all your devices.
Joe Levy
You are correct. This is on our agenda for 2017. We will practice what we preach.
Tony Flaherty
Your introduction list of factors reads as if user ID is a factor, it isn’t as it is generally considered to be publicly known or derivable, eg an email address. This could cause confusion as people think user ID + password = 2FA
Paul Ducklin
I don’t really think we gave that impression. In fact, we explicitly list “username/password” as *one* factor at the start, indicating that they go together.
However, I get your point. “Username/password”, and even “username and password” can be read as a list of alternative possibilities, as when you write “we offer a choice of beverage, including tea and coffee.” (You usually have only one at a time :-)
We’d probably need to write “username-and-password pair” to be 100% unambigious…
…so I just changed it to “password” throughout, to reflect that the password is the secret part, while the username isn’t.
Eugene Jacobson
It may be necessary but it is a pain too. I use a password manager, a good strong one, but 2FA on top of that means EVERY time I close a browser and reopen it, I have to have my iPhone with me so I can put in the code. That gets VERY tedious and since I am already very careful with passwords and other security measures including hardware and software firewalls, paid malware (Sophos Home anti virus), having to go through that extra step so many times a day is just overkill. I do use fingerprint where that is possible and would be okay with that, but I really hate that texted code piece. Just me.
Malcolm
How about adding 2FA for Sophos Home?
Sauce for the goose and all that …
Joe Levy
You are correct. We will be adding this as an account option in 2017.
SGU
But doesn’t 2FA using a registered phone for texting a code mean that the website is using your phone to collect additional personal information, such as your location or apps billing information? Isn’t this form of 2FA partly an opportunistic information grab?
Paul Ducklin
Depends whether the site has special T&Cs for numbers handed over for 2FA that promise not to the number for anything other than logging in…and, if so, whether you believe the claim anyway.
Skotty
Are you still recommending 2FA even with the newly published SS7 security flaw that affects SMS? I try to use Yubico Key where allowed, but not very many sites offer it.