Two Factor Authentication (2FA) 101

T

Today we introduce Two Factor Authentication (2FA) sometimes called Two Step Authentication and why it’s a good idea to enable it where possible. 

What is 2FA and how does it work?

In simple terms it’s a way an account you log into double checks that you are who you say you are and that it is in fact you logging in – when enabled there are two checks in place to prove your identity instead of the usual one (being a username and password) before granting access to the account.  The concept itself isn’t new, historically we’ve always needed two factors to authorise accessing money from an ATM for example.  The first factor is being in possession of a bankcard and the second is knowing the correct pin code.  When 2FA is enabled for an online account you will log in using your username and password as per normal and you will then be asked for the second factor which can be:

  • Knowledge: such as a pin code or answer to a pre-set secret question
  • Possession: such as approving the login on a smartphone app or email link
  • A part of you: such as voice print, fingerprint scans, or iris scans

There are others but those three are the main types – essentially the idea is that just one factor will not unlock an account if the other factor is compromised or stolen.  Most commonly you will likely experience a code being sent to your registered mobile via SMS for you to enter within a certain time (usually 30 seconds).  Therefore if a bad actor manages to get their hands on your username & password, they still won’t get access to your account if 2FA is enabled. This is of course dependent on the second factor not being compromised as well – so if you set 2FA to send a link or code to your email, the email account must not be compromised (which can happen if the bad actor has already gained your username and password). This is why authentication apps or codes sent via SMS are a better option than email for the second factor.

Why enable 2FA?

Because our passwords stink is the short answer– we have poor memories and aren’t too imaginative with password creation.  We also have too many accounts, seemingly for everything imaginable!  It’s not uncommon for people to have 40 or 50 online accounts and this leads to Security Fatigue – we tend to just use the same easy password for numerous accounts.  This obviously opens up more risks of breaches by bad actors which 2FA can help alleviate.

How do I set up 2FA?

The best way to go about it is to set aside a couple of hours one night or over a weekend and log in to your various online accounts and do the change in one swoop.  This is also an opportune time to update your passwords to strong, unique ones whilst setting up 2FA. 

Log in to each of your online accounts and find the ‘Security & Privacy’ settings area.  There you will be able to navigate to the 2FA selection area and in most cases choose what you would like your second factor to be (SMS, security questions, Authenticator app etc).  Remember to consider your access to the second factor if you travel a lot or may not be in possession of it all the time before selecting. Not all accounts offer 2FA however that’s increasingly changing as it becomes a cybersecurity measure that’s now expected.

Your social media, email, online shopping and banking & payment accounts should be the minimum to have 2FA enabled.  Don’t forget to set up 2FA for your desktops, laptops and other devices too not just online accounts accessed from a browser! 

We recommend utilising the website Turn it On as a guide if you have trouble.  You simply type in the website you’re looking to enable 2FA on and a step-by-step guide for it will generate. 

Another great tool is the Two Factor Auth website which lists websites that do and don’t support 2FA so check it out if you’re having trouble finding where to change the settings – they may not support 2FA. 

Sim hijacking

A threat to 2FA which is on the raise is what’s called ‘sim hijacking’ which involves the bad actor breaching enough of your data to successfully pose as you to your mobile phone carrier. They will request that your number be transferred to a new sim card in their possession and subsequently all calls and SMS will go there, including second factor authentications that are set for SMS.

To minimise the risk of this happening and protect the integrity of your 2FA there are a few things you can do to ensure you’re using 2FA in the most secure way:

  • Call your phone carrier and request a pin (which is not your bank pin or a combination of your birthday) be added to your account which is required to authorise any changes to your account
  • Consider a 2FA app (instead of email or SMS 2FA) as it isn’t attached to your phone number. A bad actor would physically need to steal your phone and unlock it to get around this which is a big barrier for them
  • Set 2FA to a secondary number that is not publicly known or used for anything else so that it’s chances of being leaked or associated with you are very low. Many modern mobile phones have dual sim slots meaning you don’t need a second phone to enact this option
  • Reduce the amount of identifying information you post online, especially publicly, as it can be used to pose as you to enable sim hijacking.

Conclusion

No doubt the biggest issue against 2FA is that many people find it annoying but those 10 seconds or less, in our view, is such a small price to pay for an added layer of security.  Enabling 2FA doesn’t remove all risk from bad actors however but it does make it harder to access your account and reduces your risk greatly as you will be a less attractive target for bad actors.  Taking small precautions like this puts you ahead of the curve in protecting your online data – don’t be the low hanging fruit.

This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.

Recent Posts

Contact us