The massive and numerous data breaches over the last few years prove at least one thing: Passwords alone can’t protect you. And as if to remind you that 2019 will be just as fraught with cybersecurity issues as the year before, security researcher Troy Hunt discovered yet another major breach, ominously titled “Collection #1,” in which nearly 773 million email addresses and 21 million passwords were exposed.
Before you freak out and (finally) delete your Facebook account, know there’s an easier way to protect yourself — one that only involves a few minutes of preparation for some peace of mind when it comes to your online identity. We’re talking about two-factor authentication (sometimes called 2FA, or two-factor verification), a process in which you input an extra security code after typing in your username and password to prove you’re really you. There are multiple forms of two-factor authentication, but they all serve the same purpose of protecting your accounts from being hacked in case somebody gets their hands on your login info.
Nearly every major website supports two-factor authentication, though not every site supports every form of authentication. Want to check if your most-frequented sites are up to date in terms of security? Check out the Two Factor Auth List, a searchable and categorized database of sites that support two-factor authentication and its multiple forms.
From there, actually enabling two-factor authentication is easy enough. The process varies by site and service, but visit your account page for the site in question, browse around for any privacy or security settings, and that’s where you should be able to enable SMS or two-factor authentication.
The different types of two-factor authentication
The purpose of two-factor authentication is to prove that you’re the person who owns the account in question. You can think of two-factor authentication as the bouncer to your digital lounge, waiting for you to provide a bit of extra information to prove you are who you say you are, be it a number sent to you via text message or a string of characters generated by an app on your smartphone.
Here’s a look at the various methods of two-factor authentication.
Text message authentication
Text message, or SMS, authentication is probably the easiest way to build the habit of two-factor authentication, as it doesn’t require you to download anything app-related or walk around with a physical authentication device. You simply log in to the site in question, and it’ll ask you to enter an authentication code — usually a random string of numbers — texted to your phone, and you’re in.
The downside of text message authentication is that it isn’t as secure as other methods of 2FA. It’s better than nothing, but security researchers have demonstrated that hackers can find ways to intercept SMS messages sent to your phone number, so if they also know your username and password, they can grab your 2FA code as it’s sent to you and get access to your accounts. We recommend using one of the following methods instead. But if you’re committed to using text messages for two-factor authentication, or if the service you’re trying to secure only uses SMS-based 2FA, be sure to call your wireless provider and set up a PIN code that can prevent hackers from accessing your wireless account, changing your settings and snooping on your texts.
A more secure way to use two-factor authentication is with a code-generating smartphone app that’s compatible with the account you want to keep safe. Apps like Authy, Google Authenticator and 1Password can all generate codes that change every minute or so, and can only be seen when you have your phone in hand. Some authenticator apps, like 1Password, also feature another layer of security, like facial recognition or a fingerprint scan. Many of those apps are also designed to store your list of secured sites and passwords in the same place, protected by a master password. They can also create randomly-generated and therefore hard-to-guess passwords as a further defense against hackers.
Of course, if your smartphone is stolen you can be in a tough spot, so make sure to print out some backup codes and store them in a safe place.
Don’t want to use any apps, or even your phone, when it comes to securing your identity? Instead of using an ever-changing code, go with something more physical, and use a hardware token you can clip to your keys. While they exist in various shapes and sizes, they usually resemble a small USB flash drive that plugs into the device you’re using, be it your smartphone or PC, and serves as a form of extra identification.
Want a hardware token? The most popular manufacturer, Yubico, makes the Yubikey, available in the connector of your choice (think rectangular USB-A or the newer, more universal USB-C) or with support for features like near-field communication (the same tech that powers the tap-to-pay feature found at stores). Google also makes the Titan security key, which gives you two hardware tokens, one to keep with you and one to keep in a safe space in case of emergencies.