This article is written by our colleague Christian Anderson, by many known as “Mr. 2FA”, and has later been translated to English. He drives a car with the license plate BRUK2FA, meaning “Use 2FA” and runs his own website on, well, we think you guessed it.
2FA (two-factor authentication) is known by many names. In short it means that you use two factors when logging in, meaning you add an extra security in addition to “just” the password.
Explained a little further, 2FA is part of multi-factor authentication (MFA), where you use more than one factor to enter a system. 2FA requires, as the name implies, two factors, but there are systems that require you to use more than two factors. As for the factors used, they are divided into different groups:
- something you know: a password, a pin code
- something you have: your phone, an app
- something you are: your fingerprint, your face
- there may also be other factors, such as where you are
Read more: What’s a Password Manager and what are the benefits?
Why use 2FA?
By using 2FA, you add an extra layer of security to the account you’re using. Almost every day, a service on the web is hacked, and information about those who use this service is stolen. The hackers can then start testing other services with the username and password they found.
Suddenly they’ve entered other accounts you own. Unfortunately, it’s very common for people to use the same password, or small variations of the password, in several places. If you use 2FA on other services, they’re not able to get in because they won’t have access to your second factor. The other services will then be protected, despite the hackers knowing both your username and password.
Now you might think that entering an extra code from an app, or waiting for an SMS, is too much work, but don’t worry: Most online services remember your computer or browser, so that it uses this as a second factor. Therefore, you don’t necessarily need to enter a code every time you access the service. Other websites, on the other hand, such as online banks, always force you to use 2FA.
Read more: What’s ransomware and how does it work?
How to enable 2FA
This differs from service to service, and which form of 2FA the service offers. Most websites use activation of 2FA where you change your password, whether it is your profile page or a page for security settings.
Where can I use 2FA?
There isn’t a complete list of which websites or services support 2FA, but on this website you can find out which of the largest websites support 2FA.
Different forms of 2FA
As described earlier, there are several types of factors you can use to authenticate yourself. Here’s a more detailed overview about the various factors:
Something you know
Password:
This is the most common variant of logging in. You’ll find thousands of tips on the web on what makes the best passwords, but the most important thing is that you choose long and complex passwords that are hard to guess. Different websites have different requirements for how passwords should look, but in most places you have to mix upper and lower case letters with numbers and special characters.
Pin code:
This is most common when 2FA or MFA is involved. It’s usually not used as the only factor. For example, your bank card: when you go to the ATM to withdraw money, you use 2FA (one thing you know – the pin code, and one thing you have – the bank card).
Something you have
Mobile phone:
The most common way to use 2FA, which involves a mobile phone, is to send an SMS with a code that you must enter on the website after entering your username and password.
App:
In many cases, you’re offered to use an app to get your code. The most known apps are Google Authenticator. This app works according to the “Timed One time Password” principle, also known as TOTP. In short, it means that the app gives you a code that you can use to verify your identity, and the code is exchanged after a short time (usually after 30 seconds).
USB key:
You can also use an USB key. When the website asks for the second factor, the inserted USB key provides the “code”. You don’t actually enter a code; the key does it for you. All you have to do is press a button on the key or touch it. This is the most advanced and safest way to provide the second factor. Some brands of USB key include Yubiko Yubikey and Google Titan security key.
Something you are
Fingerprints:
Many phones and computers have fingerprint readers built into them. These can be used together with passwords, pin codes or certain mobile phones as a second factor.
Eye (blood vessels):
Some places don’t consider fingerprints secure enough, as you leave them everywhere (on glass, doors, railings and so on). An eye tracker scans your eye, as the blood vessels in the back of the eye are as unique as a fingerprint.
Eye (iris):
Some newer mobile phones can also use your eye as a second factor, but instead of scanning the blood vessels, they look at what your iris looks like: the coloured area around the pupil is as unique as a fingerprint.
Face:
The very latest in technology is face recognition, where the computer or phone recognizes your face. Apple’s FaceID is probably the most known example of this.
Voice:
There are also voice recognition systems that can identify you by saying a few words.
Where you are
Your positions:
It may be that when you’re at home, you don’t need to unlock your phone with a code.
Proximity to other devices:
For example, if your phone’s connected to a certain Bluetooth, you’re automatically logged in.
Read more: What’s financial cyber crime and how do you prevent it?
A few words on passwords
When creating a new password, there are a few things you need to think about:
Never reuse a password
If you’ve reused a password and someone gets access to it, it’s easier to hack your other accounts.
Use a complex password
Hackers like to test simple passwords first, so if you have a complex password, there’s a high chance that the hackers won’t figure it out.
Use a long password:
If hackers have obtained a protected password, they can use the same technique as the website from which they obtained the protected password to test the password. For example, they might start with “a” and protect it, see if it matches, then they go to b, and so on. If you have a long password, it’s going to take them extremely long to figure out your password, and there’s a good chance they’ll never crack the code.
Having said all this, how are you going to manage to remember all the passwords that you’re going to get? Well you can’t … You could always write them down in a book. Yes you read that right, and it sounds wrong, after all we’ve been told not to write down passwords. However, it’s much better to write down your passwords than to use the same password in several places. Moreover, the hackers need access to your physical book to gain access to the password.
Can’t you do anything better than writing down the passwords? Yes, you can, by using a password manager. With such a tool you can write down the passwords in a safe way, it can also help you create new, long and complex passwords. The only thing you then need to remember is the password for the password manager.
Some password managers are:
- Lastpass
- 1Password
- The Bitwarden
- KeePass
- Dashlane
The article you’ve just read is written by our colleague Christian Anderson.