Privacy and identity theft are a popular tandem these days. We increasingly erode our privacy with every new site or app sign-up — see FaceApp’s aging filter this past summer — but our ears prick up at the phrase identity theft. It’s an odd reconciliation.
Passwords or PINs are the most popular way for people to maintain a shroud of privacy. In recent years, it seems there’s a widespread breach of accounts every week. Capital One and Equifax, names we’ve come to trust with our personal information, companies that hold huge financial sway on our daily lives, have been caught with their pants down — and we’re the ones who suffer the embarrassment.
In both real life and at the movies, there have been various pushes to augment, strengthen, and even do away with the use of passwords. Today is not the day for the latter; we are not ready to get rid of passwords entirely. Until then, we should embrace a simple way to protect our accounts.
What is 2FA?
2FA or two-factor authentication strengthens the use of passwords by requiring a second piece of information to unlock our accounts. Unlike a password which is typically permanent and memorized, the two-factor portion is temporarily produced on something we own like a mobile phone, a tablet, or a physical key. Even fingerprints can be used as a form of 2FA.
The most popular method for 2FA is having a temporary code, known as a one-time password (OTP) or a token (OTT), sent to an email, cell phone number, or to an authentication app, such as Authy, Google Authenticator, Duo, Microsoft Authenticator, or LastPass Authenticator.
An Okay Method of 2FA: Email or SMS
Not the ideal method to use, but recommended over not having any 2FA set up. The OTP is sent to an email or via text message. Not all websites allow for 2FA via an authentication app, but if they allow 2FA at all, it is mostly likely via email or SMS.
The reason SMS isn’t the best method is because it’s tied to a phone’s SIM card, which has been proven to be susceptible to spoofing or hijacking of an account. There are various instances where hackers impersonated a victim’s Verizon or other phone carrier account and changed access to another SIM card, resulting in 2FA for any services tied to that one phone number being compromised.
Whenever i setup SMS 2FA, i tend to switch between using my normal phone number and a Google Voice phone number.
Note, some websites don’t allow the use of Google Voice numbers for 2FA, so be prepared to use a personal phone number.
A Better Method of 2FA: Using an Authentication App
Authenticator apps are more secure than using SMS messaging because their tokens are less prone to being intercepted or spoofed like SMS. Simply set up the authentication app by scanning a QR code or manually entering a code for the website, and then a new, random temporary code is produced after 15-30 seconds.
I’m partial to using the authentication app Authy because it is versatile. There’s an iOS, Android, and even a desktop app (macOS), which i find to be convenient when a phone is left on a charger on the other side of the room.
Authy is also a lifesaver when switching to a new phone or adding a secondary phone for 2FA. Authy also features the ability to 2FA between multiple devices.
I go through phones probably once a year or so, and Authy has saved me a ton of time by not having to manually go through every account to switch to the new phone like is required when using Google Authenticator app. Earlier this year i had to go through ~36 different accounts to switch from GA to Authy. It took about an hour and a half. It’s the reason why i do not use Google Authenticator app unless i’m forced to do so. LogMeIn is one such service that requires GA, unfortunately.
The Best Method of 2FA: Physical Key
The best method for 2FA is using a physical key that’s about the size of a USB thumb drive. It’s a cool, simple process: provide username and password for the site/service, when prompted, press a button on the physical key and wait for a second or two. Voila.
The most popular key is the YubiKey, but many brands exist. They range in price, but start at around $15. I recently purchased a Thetis FIDO U2F key and have no problems with it — it does the job as advertised and is durable.
This is the best method of 2FA because of the separation of digital and physical realms. A hacker would need physical access to the key in order to fulfill the 2FA portion of logging into an account. Same applies — in theory — with using a biometric scan such as a fingerprint.
I recommend buying at least two keys. I keep one on my person at all times on a keyring, and the second one lives in a secure place (think office/home safe or a bank safety deposit box). The keys are durable and made to hang on a keyring. Most services should allow for setting up multiple physical keys with an account.
My recommendation comes from personal experience. When i had to buy a new phone after one broke, i had my main Amazon AWS account synced with the old phone and, for some reason, i didn’t have or couldn’t find my security backup codes. I ended up having to contact Amazon, where they required me to verify my ID by going to a notary, paying a fee, and doing this whole dance. Time-consuming, but i appreciated that no one unauthorized could access my account. If i had had a physical key stored away as a backup, the three days unable to get into my account would’ve been avoided.
What about biometric data for 2FA?
It sounds good — futuristic a la Demolition Man and the like — but it’s not recommended as a foolproof method because such data is permanent. Passwords can be changed, but our retinas, our fingerprints cannot. Once they’re compromised, it’s a wrap. Case in point with this recent, massive biometric data breach.
Setting up 2FA is a simple, quick way to add a layer of security to our online accounts. At a minimum, i recommend using SMS but encourage the use of all three methods in conjunction with one another.
Your bank, credit card company, mortgage lender, etc. all may have their own preferred 2FA authenticator apps, even their own in-house app to download. Check their websites, call/email customer service.
Check if a site/service allows Two-Factor Authentication (2FA) via this website https://twofactorauth.org
I hope this was useful. Be sure to check out my past post on end-to-end encryption (how it works), subscribe to the blog below for upcoming posts on virtual credit cards and other security-related things.
Cheers and peace.