Two-Factor Authentication (2FA): What Is It and How Can It Protect You?

Photo Courtesy: Yura Fresh/ Unsplash

News stories about cyberattacks and data breaches are all too common these days. One way to keep your data secure? Place it all behind walls that can only be penetrated by a unique identifier and secret code combination — you know, a username and password. But is a single password really enough? If you feel like it might not be, two-factor authentication — also referred to as 2FA — can come in handy. So, how does this enhanced protection work? We’ll crack the code.

How Big a Deal Is Online Security?

One of the most common crimes associated with insecure online information is identity theft. According to the Federal Trade Commission’s Consumer Sentinel Network, there were 3.2 million reports of identity theft and fraud in the United States in 2019. Associated with those cases? Financial losses of over $1.9 billion.

Photo Courtesy: Westend61/Getty Images

According to a 2019 study into identity fraud conducted by Javelin Strategy and Research, cybercriminals frequently accomplished their thefts by targeting not only financial accounts — those associated with banks and credit cards, for example — but loyalty and rewards programs and retirement accounts (IRAs and 401ks) as well. So, how’d they do it? By developing techniques to circumvent the authentication processes — all those allegedly secure usernames and passwords — all while maintaining a particular focus on attacking smartphones. In 2017, there were 380,000 victims of account takeovers, and, by 2018, that number rose to a staggering 680,000.

Two-Factor Authentication Doubles Up Your Protection

A password is a single factor for authenticating access to accounts and data. And, in many circumstances, it’s a rather poor authentication factor. According to at least one report on a study conducted by NordPass, people have an average of 70 to 80 passwords to remember. For many people, that’s a pretty impossible number to juggle, which results in unsafe shortcuts and workarounds, like repeating passwords, using default passwords, and relying on easy-to-guess codes.

Photo Courtesy: Andriy Onufriyenko/Getty Images

All of these shortcut methods impact your cybersecurity greatly, which is where 2FA comes into play. While two-factor authentication isn’t a substitute for a well-chosen password, it’s another layer of protection. When using 2FA, you’ll be asked for more information after you enter your username and password. Sure, that’s more steps on your end, but it’s also more protection. So, what is a “second factor” anyway?

Types of “Second Factors”

There are three basic types of second-factor authentication systems. They’re based on things you know, like answers to secret questions; things you have, such as a smartphone or token; and features of your body itself — fingerprints, voiceprints and facial scans. If you aren’t able to provide a second authentication factor in one of these categories, systems that utilize 2FA will deny you access even if your username and password combo was correct.

Photo Courtesy: dowell/Getty Images

Here’s how some common options work:

  • Hardware Tokens: Small pieces of hardware, such as a key fob or even a USB drive, generate unique and constantly changing numerical codes every 30 seconds or so. When you log in with your username and password, you’ll be asked to provide the current unique numerical code generated by that fob. Without it, you’ll get no farther.
  • Text Messages: An SMS-based 2FA system works by sending a text message to your registered smartphone once you pass the username-password stage of the authentication process. To get to the next stage, you’ll have to enter a code provided in said text message within a set timeframe.
  • Software Tokens: Software token-based 2FA is the most popular form of 2-step verification. With this, a user installs a 2FA authenticator app onto their smartphone, tablet, laptop or desktop computer, then links the app to websites they need to access securely. Once they are connected and a login attempt is commenced, the process is similar to the SMS approach.
  • Push Notifications: Sites that use push notifications will send a notice to an owner’s smartphone if there is any attempt to authenticate account information after the username and password have been entered. If the holder of the smartphone — hopefully you! — recognizes the login attempt, they can allow the process to continue with a mere swipe. If they don’t recognize the login, they can deny access or refuse to provide the authorization.

Long story short, there are lots of other examples of 2FA systems out there. One of the most exciting — and newly accessible? Apple’s Face ID. In this scenario, a username and password won’t get you anywhere — unless you show your phone the face that matches Apple’s records.

How to Claim the Benefits of 2FA for Yourself

Many of the websites and online services you use most often have 2FA systems built right into them — either mandatorily or as an added option. Your bank’s website, for example, has likely shifted to 2FA; if it hasn’t done so automatically, you can add that extra layer of security with a simple request.

Photo Courtesy: Westend61/Getty Images

Additionally, popular websites rely on built-in 2FA systems to help customers feel more secure — though the extra security layer may require some setup. If you’re using Amazon, check out the “Login & Security” menu. Apple loyalists should visit the “Security” menu on the “Manage Your Apple ID” page, and Instagram lovers should head to “Settings” and then “Security” to find the 2FA options. From LinkedIn to Dropbox, most platforms and sites you log into everyday support easily accessible 2FA options, so long as you know where to look for them.

Looking to install your own two-step verification system on a phone, tablet or computer? There are quite a few great apps available, including Authy, Google Authenticator, and OTP, LastPass Authenticator and Microsoft Authenticator. At the end of the day, installing, activating and relying on 2FA systems isn’t a substitute for diligence, caution and well-chosen, varied passwords. Nonetheless, that additional step does layer on the security — and a few seconds of your time is definitely worth it when it comes to avoiding theft or hack.