There are two secure mainstream forms of 2-Factor Authentication: One that works with an Authentication app on your smartphone, and one that utilizes a hardware key. Both of these methods work very well in keeping people out of your account.
Most services that accept 2FA also provide backup keys in case you lose access to the smartphone or hardware key. I’d suggest you hold on to those as well.
Why is this important? It’s simple: Imaging you enter your password on a public Wi-Fi network, send it through SMS or Email, you are a victim of a Phishing attack, or the service you use is hacked.
Every single one of these situations can happen, and when it does, the attacker can get into your account and lock you out. No good.
I was a victim of this once. I don’t know how they got in my account, and it happened years ago, but it’s a wonder I still have access to my account today.
If someone manages to get their hands on your password, 2FA will keep them locked out.
So how exactly do these systems work?
When using an app like Google Authenticator, what happens is every 30 seconds, a new code is generated. Every time you log in to your account, you have to access the app to see your time-sensitive code and enter it in the field in question.
However, nothing is transmitted between the server and your client. Instead, when setting it up, there is an agreement made between the server and the client what equation is used, which includes an encrypted private key. The equation also uses the current time as a seed.
This means the code is generated by the app through the equation at that moment, and when you enter the code on the website, the server goes through the equation itself and checks the code. If it matches, the server lets you in.
This is very likely a very simplified explanation as to what happens. All you need to know is it’s secure, and keeps bad people out of your account.
Hardware keys are a bit different. How these work is, when set up a public and private key are generated and stored onto the key itself. When you try to sign in to your account, the website waits for the hardware key to send in the packet that it expects, and when received, will let you in. This is actually more secure than apps like Google Authenticator, but the actual keys cost money.
You see, you can’t just use any old USB Drive. This would be insecure. Instead, you need a specialized key whose sole purpose is to get you into your account. Typically you would need to press a button on these things so it knows you’re actually physically there, or some may actually include a fingerprint sensor that is needed before telling the website to let you in.
However, I think you all already noticed the issue with this:
What happens when you lose the key? Or it stops working?
When you set up Google Authenticator, what usually happens is the website will give you a set of backup codes. These are important, store them somewhere. With hardware keys, you can take two routes:
- Purchase a backup key.
- Use Google Authenticator as a backup.
The important thing is Backup, Backup, Backup. You should always keep a backup of everything you need. It may seem inconvenient to do, and it is, but you’ll be thankful when you lose access to whatever you were using before.
Now, another important note:
Unless it’s the only option provided to you, never, ever, ever use SMS as a 2FA method. Not even as a backup.
SMS is an inherently insecure form of communication. You should never send anything important through SMS. Ever.
However, if SMS is the only option, then at that point it’s simply better than nothing. Just know that there are actually things people can do to get access to your phone number with just information most people would be comfortable sharing.
Another important note is the security questions: Never, ever tell the truth on these. Always use them as a backup, but never tell the truth. Enter an answer that nobody, not even your closest friend, not even your significant other, would guess that you’d enter.
Yes, these security systems are important, and you should take the time to use these on accounts that are important to you. It is recommended that you change your password every 3-6 months. The best way to do this is through a password manager like Lastpass.
Lastpass will generate passwords for you and store them in a method that is so secure that only you can access it. You set up a master password, of which the only way to get access to Lastpass is said master password. And yes, use 2FA on Lastpass as well. This stuff is important. Lastpass is not a sponsor.