What is Two Factor Authentication (2FA) And Why Use It?Category: primers
A 3 Minute Read
20 Jan 2017
Image by Yubikey
Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!
You’ve heard it time and time again: use a strong password. By now, you might have a Lastpass account or KeepassX installed on your computer (and if you don’t, you should), and all your passwords are 99 characters of entropic perfection, making you feel like the digital Hulk. But what if your computer gets infected with malware? What if that malware siphons up all your passwords and sends them off to some darknet market to be auctioned off? What if Lastpass itself gets a vulnerability that leaks all your passwords, or the service you’re registered to doesn’t do a good enough job in protecting your password? In each case, you’re up a proverbially polluted creek without a paddle. Unless, of course, you’ve used two factor authentication.
Indeed, right now two factor authentication (2FA) is the best practical way to protect yourself from all of these threats. All 2FA entails is simply having a second factor, something other than your password, that is required to log you in to a given service. Often this is combination is said to consist of something you know (your password) and something you have (the second factor). The premise is fairly common-sense: it is much harder to hack a password and a separate authentication mechanism than just a password alone. Of course this second factor could be a fingerprint scan, a secret question, or a smart card, but right now the most popular way to use 2FA is through a temporary code either sent to your phone as a text message, or generated through an authenticator app.
Enabling this isn’t too difficult either. Typically, all you need to do is log into whatever service you use that supports 2FA (a list can be found here), go to your account settings, and enable 2FA. The site will likely either ask you for your phone number that it will send a text message to, or give you a QR code for you to scan with an authenticator app like Google Authenticator or Authy. Then, you just need to confirm the resulting code you’re provided through the text or the app, and you’re off and away. Now, every time you log in you’ll be asked for a code that functions as a one time password (OTP), meaning it only ever works once and every time you log in it will be different.
If we were to stop here, however, we might eventually end up in that same proverbial creek, because if we lose whatever it is that functions as our second factor (again, this is usually our phone), that means we wouldn’t be able to log in at all. Fortunately, most websites recognize this risk and provide an alternative mechanism for logging in just in case. For example, Google and Github will provide you a list of one-time-use codes that you can print out and keep in a safe place. Alternatively, the site might allow you to register a back-up phone number that you trust. Each method allows you to recover your account so that you can either disable 2FA or set up a new second factor.
With all of that said, however, 2FA is certainly not bulletproof. Increasingly, hackers are using extremely convincing phishing schemes that not only trick you into giving up your password, but your second factor as well, and then quickly log into your account and wreack havoc. Does this mean that you shouldn’t use 2FA? No! Even with this risk present, 2FA still increases your defenses significantly.
If you are worried about these phishing schemes, however, and want the utmost level of security, you can get yourself a hardware authentication device (i.e. a specialized usb dongle) that supports a new protocol called Universal Second Factor (U2F), such as the Yubikey FIDO U2F Security Key (my Amazon affiliate link). Essentially, U2F categorically eliminates those phishing schemes and thus offers the best defense you can get against account theft. Its also easier to use than one time passwords; all you need to do each time you log in is click a button on the dongle rather than manually type in a code. Unfortunately, not many sites or browsers currently support U2F as it is still a fairly new protocol. Those that do support it include Google, Youtube, Dropbox, and Github. If you want more services to use it, I highly recommend contacting those services and requesting that they implement it. Fortunately, DongleAuth.info gives you some shortcuts to tweet at those companies that are lagging behind on what should be basic account security.