Two factor authentication or 2FA is something that you will no doubt encounter with most accounts or services, recommending that you enable it. So, what is it and do you need it?
It is a secondary step or security measure to supplement your password when trying to access your account and put simply, yes you do. Whenever you login to an application or service, it is a secondary step confirming that it is really you that is logging in, through a separate venue. 2FA is something you have used many times, potentially without even realising it, for example if when you login to google it sends you a code to input to access your account, then you have completed a 2FA transaction.
How Does Two Factor Authentication work?
Each type of 2FA requires a slightly different process but all follow the same general underlying process:
⦁ The user logs into the website, application or service with their username and password.
⦁ The password is checked and validated by an authentication server. Upon successful validation the second factor authentication is triggered, whether that be a code by SMS, a notification pop up or a request to type in a code generated by an authenticator app.
⦁ The Authentication server sends a unique code or prompt to the users second factor device.
⦁ The user confirms their identity by approving the additional authentication from their second factor device whether that be entering the generated code or accepting the prompt.
⦁ The user gains access to the account.
Why do I need Two factor Authentication?
2FA is essential as it significantly increases the security of your account and the decreases the potential damage of a compromised password. For example, if your account password was to be compromised without 2FA enabled, then there is absolutely nothing stopping a malicious individual wreaking havoc on your account and any other you have reused that password for, without you being any the wiser until it is far too late. With access the hacker could do anything, dependant on the account from posting damaging views on your social media to gaining access to sensitive information from your work and even locking you out of your own account! With 2FA enabled not only does the hacker have another form of security to get around, but you will also receive a code or notification dependant of your chose method, alerting you that someone other than yourself is trying to gain access. This gives you valuable time to change your passwords and deny access to your account keeping it safe.
Furthermore, it is recommended by the National Cyber Security Center (NCSC) for any cloud service accounts and high value ones, such as email accounts that provide a route for cybercriminals to reset passwords on other accounts. The NSCS are becoming stricter with enforcing this and provide an excellent IT infrastructure document to provide further guidance, which can be found in the useful links below. Passwords alone are not enough to keep your accounts safe and cyber criminals are employing increasingly sophisticated methods to obtain them. As previously mentioned, many are guilty of reusing passwords, deliberately creating weak, easy to remember ones or even sharing them willingly. This puts your account at risk and makes the job of the cyber criminals much easier. However, implementing 2FA significantly decreases the chance of a successful account takeover by another and keeps you safe from the resulting consequences. Therefore, it is highly recommended you implement 2FA and if the account or service you use does not provide it consider alternatives.
One thing to note though is that not every type of 2FA is created equally, SMS based 2FA is deemed insecure and can be compromised or even intercepted by attackers using techniques such as SIM swap, social engineering, spoofing, to name but a few. The National Institute of Standards and Technology advised against using it where possible. It is recommended to use alternatives such as:
⦁ TOTP Passcodes: TOTP Passcodes, or Mobile Passcodes as they are called, are the most popular alternative to SMS 2FA. TOTPs use the Time-Based One-Time Password (TOTP) algorithm, generating a unique time based code that expires after a short duration and then generates another.
⦁ Mobile Push: Mobile Pushes are authentication requests in the form of phone notifications that pop up on your screen.
⦁ WebAuthn/U2F Security Keys: WebAuthn/U2F Security Keys are by far the most secure 2FA option out there. They use public-key cryptography to authenticate users and can be used for both web and mobile applications.
There are many authentication apps you can use but a couple to look at to get you started, available on google play store and Apple App store are:
⦁ Google Authenticator.
⦁ Microsoft Authenticator.
Another important note is for all the benefits though there some downsides, for example you could be locked out of your account if you can not provide the 2FA code or have too many failed attempts. If you do not have your device on you or if the 2FA method fails then it can lead to frustration and access to your account will be denied. Additionally, 2FA can take a while to come through in some cases such as with a one-time pin or SMS verification. It is important to be organised and choose the right form of 2FA not just the easiest to implement. Keep your authentication device on you or use a device that you will usually carry around such as your phone so you do not find yourself in a situation where you can not access your account.
Below are a few links to support pages detailing how to enable 2FA on various accounts. Although not feasible to list a support page for every single account, the process to enable 2FA is fairly universal across the board and here are a few to get you started.
Useful Links:
Article on recommend 2FA apps:
Best authenticator apps of 2023 | TechRadar
NSCS IT infrastructure document:
Cyber Essentials Requirements for IT Infrastructure v3.1 April 2023 (published January 2023) (ncsc.gov.uk)
How to enable 2FA on Google Account:
How to enable 2FA on Microsoft Account:
How to enable 2FA on Facebook Account:
How to enable 2FA on Instagram Account:
Bu Tech web article on 2fa:
AVG article on 2fa:
Tech Republic article on 2fa:
Comentários