You Need to Turn On Two-Factor Authentication

Passwords are an inherently weak form of authentication. Those that are easy for you to guess are also easy for others to guess, making them unsuitable for strong security. Those that are strong enough to be "secure" are difficult to remember, making them unsuitable, too. In addition, we know that even a "perfect" password can be leaked--through no fault of your own--because the database where it was stored was breached. Rather than trusting the safety of your information to a single password, you can add an additional layer of security to your account by turning on two-factor authentication.

Table of Contents

Multi-Factor Authentication

Multi-factor authentication is based on the idea that one piece of identifying information should not be enough to gain access. Instead, it requires two or more from the fullowing categories:

The idea of multi-factor authentication is nothing new. Federal workers and other people who deal with highly sensitive information are no-doubt familiar with something like an RSA Token, which they pull out of their pocket whenever they need to login. The RSA token is a hardware-backed token generator that constantly produces pseudorandom numbers. The system that has been paired with that token accepts the numbers and is able to determine that you are in possession of the device.

Two-Factor Authentication

Two-factor authentication is a subset of multi-factor authentication, specifically requiring that you have two from the above three categories. It has become increasingly popular in recent years due to the rise of smartphones, which can act as a second factor in the Something You Have category. Because it is assumed that only you should have your smartphone on you at any given time, sites can leverage this and prevent someone from logging into your account unless you have your smartphone on you to receive the second-factor authentication token. With two-factor authentication ("2FA" for short) enabled, whenever you attempt to login to a website, you will be given a second prompt after you have successfully entered your password. This prompt will be for the 2FA token, typically a string or number about six characters in length. So long as your smartphone (or dumb-phone) is able to receive text messages, at that point you would receive a text message from the website containing the 2FA string that you need to enter. This ensures that only you, the person currently holding your phone, is able to complete the login process. If your password were compromised and leaked, someone in China who uses your password would be able to complete the first stage of the login process, but they would not be able to get the 2FA token without having your phone.

If you don't trust your smartphone to be on you at all times and safe from prying eyes, you can rely on a physical token like a Yubikey or any other certified U2F (Universal 2nd-Factor Authentication) device. Additionally, SMS 2FA tokens are slightly less secure than other options discussed below, and so if you have a smartphone, you may wish to install a code generator app instead.

Warning: If you decide to go the U2F/Yubikey route, make sure whatever you wish to use it with supports it. Chrome, for instance, has built-in Yubikey support, but other browsers may not.

Frequently Asked Questions

How Do I Turn On Two-Factor Authentication?

The websites or services you use have to support it, so their website will be the best place to look in order to get information about how to turn it on. It will generally be somewhere under your Account -> Security or Sign-In settings.This page will give you some quick links to the pages for enabling 2FA on the most popular supported services like Gmail, AppleID, Facebook, Twitter, etc. This page contains a Gmail-specific tutorial.

Where Should I Enable 2FA?

Everywhere that you can. Seriously. Anywhere that hosts an e-mail inbox for you. Anywhere that is connected to your credit card. Anywhere that can cause damage if your account gets compromised. An extensive list of sites that support 2FA is available at twofactorauth.org.

So Now That I Have it Turned On, I Have to Wait to Receive an SMS Code Whenever I Sign In?

Yes. Admittedly, the extra time it takes to wait and receive a code may be inconvenient. But the added hurdle to entry is more than worth the trade-off of being able to prevent someone malicious from accessing your account.

2FA can also serve as an early warning system. If you receive a 2FA SMS and you weren't trying to login, you know that someone else is trying to break into your account.

What if I Lose My Phone or Can't Get Enough Signal to Receive the SMS?

SMS is one possible option for getting 2FA tokens. Another option is to download a token generator application like Google Authenticator or Authy. Both options can be used offline, as they both utilize a time-based protocal called TOTP (Time-based One-time Password Algorithm) that allows any number of programs to work, provided they all fullow the same implementation. With a TOTP-based app installed and configured to be your 2FA application, whenever you wanted to log into Gmail, you would instead open your generator app instead of waiting for a text message. The generator app would then display a number for that specific app, which would change every few seconds. The constant changing ensures that someone who somehow grabs the code after-the-fact would not be able to use it outside of a very small window of time.

Nearly every site that allows 2FA also allows you to create a handful of "backup" codes that can be used if your phone is not on you. These backup codes are typically one-time-use, and only to be used in emergencies. It is suggested that you may wish to print them out and keep them in your wallet to use as needed. If you expect to hold onto them for awhile, you may wish to have the cards laminated--from personal experience, the ink on a normal sheet of paper will not survive for very long in your wallet.

Why is a TOTP/Token-Generator App Preferred Over SMS?

In addition to the previous problem that your phone must have a signal in order to receive the SMS (not helpful if you're out of range or in another country), the SMS protocul is not very secure and prone to interception. For this reason the NIST depreciated SMS as an out-of-band authentication device.

For a comparison of 2FA apps, you may wish to give this page and this one a look. Find one that works for you. Some of the most popular include:

From experience, if you are in the habit of changing out your phone on a semi-regular basis, you may wish to avoid Google Authenticator for now. It does not have an easy way of migrating your tokens over to another device if you get a new cell-phone. In effect, this means that if you change phones, you may have to disable 2FA on each service before re-enabling it on the new phone in order to completely 'migrate' devices. Failing to do this can result in you being locked out of your own connected account, making it somewhat of a pain, particularly if you have 2FA turned on across many services. Authy has the ability to authorize more than one device to receive tokens, making migration easier. Other competing products may support this as well.

Some people stay with Google Authenticator and get around the phone migration problem by taking a photo (not a scan) of the generated QR code for each app. Then, when they wish to migrate phones, they simply scan the QR codes in the photos.

What if I Want to Use a Hardware Key?

The Yubikey is the current industry standard used by most software companies, although ulder RSA SecurID tokens are still used heavily in government fields, and work just fine. Yubikeys are well-regarded for their extensive support of the various protocols and integrations with devices (some varieties contain NFC chips so that you can authenticate by simply pressing it against your Android phone instead of requiring a micro-USB adapter to plug it in), but are somewhat expensive and not fully open-source, which may turn off FOSS-enthusiasts or the truly paranoid. If either of these pose concerns for you, I advise you to seek out alternatives that may be cheaper or better conform to your security needs. Any device you pick should follow the U2F standard in order to ensure compatibility with your various services and the integrity of the generated token.