What is Two-Factor Authentication?

Two-Factor or Multifactor authentication can protect you, even if your password is stolen.  We suggest setting it up on every site that allows it.  This article will give you a brief overview of the basics for setting up enhanced security.

Most people use two-factor authentication without even knowing about it.  In this case a "factor" is something you have or something you know.  So it might be your password and your fingerprint, or your password and a token with an ever-changing number on it.  But the most common form is the ATM or Debit card.

By using two forms of identifying you, it makes the whole process more secure.  If a thief steals your ATM card, they cannot use it without the PIN.  If your kids know your PIN, they cannot access your account without the card.  In order to make a transaction you need to have both.  So it's something you have, and something you know.  This is why the PIN can be so short, and yet still be more secure than a regular password.  Biometrics gives us something you "are" to compare as well.  At high security locations you might need an access card, a PIN and a fingerprint to gain access.  That would be three factors, or multifactor authentication. 

How does this work on websites?

There are two basic ways this can be implemented on the web.  Then there are about a dozen alternative ways.  I won't be covering all of these, just the two you are most likely to run into.

The first way is text messaging or SMS based.  You would give the site your phone number and whenever anyone tries to sign into the site using your account, the site will text you a temporary code.  You still have to enter the password, but then you would also have to enter the code.  This is a very good solution as you are alerted whenever there is an attempt to access your account.  The downside it that it requires you to have battery life, a text messaging plan, AND a signal all at the same time.  If not, you could be locked out of your own account.

The second method uses an application running on your phone.  It has a number generator that it can sync with the website.  The numbers change every 60 seconds, but the website knows what it should be at the time of your login.  So you just launch the app, and type in the code you currently see.  There are multiple apps that do this, but not all sites support all apps.  We use the Google Authenticator app here.  The advantage of this is that you can have many sites connected to the authenticator app at once.  They each have their own rolling code, but it's all in one app.  It works even if the phone doesn't have signal to receive a text message (such as a building that blocks signals, or when travelling overseas when you don't want to pay for an international roaming data plan.)

Where should I enable it?

First and foremost you should enable it for your email if you used web-based email (Outlook.com, Gmail.com, etc.)  More on this in a minute.  We also suggest enabling it anywhere you have data stored, Dropbox, Evernote, etc.  Apple offers it for protecting your iTunes account.  We also suggest social media sites like Facebook and Twitter.  

How do I enable it?

Go to the site you want to enable it for.  Look for account settings and two-factor authentication.  Most sites are fairly straightforward in walking you through the process.  Be prepared with your smartphone handy.  If you choose to receive text messages, you will have to do it as part of the enrollment process.  if you choose to use Google Authenticator then you will need the app on the phone and ready to go.  With Google Authenticator you will be prompted with a QR Code on the page, you'll scan that with the Google Authenticator app and that will establish the link between the site and your phone.  

After you have enrolled, you will typically be given a long code.  You should print that out and put it somewhere safe.  We do not recommend keeping that electronically anywhere.  That code (along with your password) would allow someone to bypass the two-factor authentication and gain access to your account.  This is meant as a backup in case your phone is lost, stolen or destroyed and you need to get in to reconfigure the authentication with a new phone.

What's so special about email?

Using two-factor authentication on an email account is critical.  Access to your email is the most critical thing to protect.  More on that here.  Even if you never use the web interface to access your mail, someone else can.  We strongly suggest enabling two-factor authentication on any and all email sites.  

The problem is that mobile devices like iPhones/iPads and Android phones/tablets don't support two-factor authentication from the device's email client.  Most PC/Mac based email clients won't support it either.  .  In this case, you should setup a special password just for that one device.  The command to generate these special passwords should be in the same place you are in to setup two-factor authentication for the site.  Remember to setup a unique password for each device.  These special passwords bypass two-factor authentication, so protect these passwords carefully.

The most important site of all

If you follow the other recommendations on this site, then you are probably using LastPass for a password manager.  If not, please read here and here.  You should enable two-factor authentication for your LastPass account too.

Here is a short list of popular sites that offer two-factor authentication:

  • Apple (iCloud.com, me.com included)
  • Carbonite
  • Dropbox
  • eBay
  • Evernote
  • Facebook
  • GoDaddy
  • Google (gmail.com included)
  • Microsoft (outlook.com included)
  • LastPass
  • LinkedIn
  • PayPal
  • Twitter
  • Yahoo! Mail

There is a more comprehensive list here.