Passwords are your first line of defence against those who want to steal your accounts or spy on everything that is happening in them. That is why you should protect all of your accounts with really strong and unique passwords. You should also store the passwords safely.
Unfortunately, even the strongest password is not enough to guarantee that someone will not break into your account. There are several ways in which your password might be compromised. Hackers might steal your credentials directly from the online service provider (which happens much more often than you realize). Someone might install a tiny piece of software on your device that records every key you strike on your keyboard (including all of your passwords). A very dedicated person might crack your password or convince you to reveal it. Finally, someone might use a hidden camera to record your keyboard while you enter a password.
This is why you should use two-factor authentication (2FA) to protect your important online accounts. When enabled, two-factor authentication requires that you use two different ways of proving your identity to access an online account. So, in addition to entering a password (the first factor), you have to provide a second piece of information (the second factor) to verify your identity. Essentially, 2FA provides another layer of protection to your online accounts, keeping them safe even when your passwords are compromised.
What can serve as the second factor
Most online accounts allow users to choose from three categories of additional authentication factors:
- Something you know: a piece of information that only you should know such as a PIN code.
- Something you have: a physical object that you should have on you to access online accounts. This can include a security token (a small hardware device) or your smartphone which can be used to receive authentication codes via SMS or special authentication apps.
- Something you are: something unique to your body such as your fingerprint, face or retina.
Which second factor you should choose
It is very difficult to give general advice on the most suitable 2FA method that would work for every user. Ultimately, you should choose what works best for you based on your own situation, risk assessment and convenience. We will offer several pointers below to help you make an informed choice:
- Security questions make 2FA an easy job as their only requirement is that you remember answers to a number of preset questions. However, it is typically not too hard for a crafty attacker to dig up these answers (e.g. your mother’s maiden name) or trick you into giving away this information.
- Security tokens (U2F keys) provide one of the most secure 2FA methods as long as you keep them physically secure. A major disadvantage of these devices is that they cost money and might require various adapters to use them across devices. Besides, using a security token as the second authentication factor requires you to have the device on you every time you want to access an online account. Thus, there is always a risk of loss or theft.
- SMS messages are very convenient as they arrive instantly on your mobile phone. However, this is one of the least secure 2FA methods as SMS messages can be easily rerouted by a committed individual or intercepted by your mobile service provider.
- Authenticator apps rank among the most secure and convenient 2FA methods. When you link an authenticator app to an online account, it generates temporary passwords or numerical codes that you need to enter immediately after entering your main password to access an online account. These passwords or codes cannot be intercepted as easy as SMS messages can.However, the security of these apps is tied to the security of your mobile device. In order to use them safely, you need to ensure that both your phone and the app you choose are protected by strong passwords. Reliable authenticator apps recommended by experts include Aegis, Authy, Google Authenticator, and LastPass Authenticator. Whichever option you choose, make sure that you save in a secure location one-time backup codes for every account you link to the authenticator app. You will need these codes to access your accounts in case you lose the phone with the app on it.
- Biometrics such as your fingerprint, face or voice are very convenient but not as secure as is often thought. Unfortunately, many of the popular online services do not offer biometrics as a 2FA option. Besides, many users are reluctant to use their biometrics because, unlike passwords, a compromised biometric cannot be changed. Once it is hacked, it is hacked for life. Online services may also sell your biometric data to third parties without your consent.