3DSC 2.15: Two-Factor Authentication

Today’s task is to begin enabling two-factor authentication wherever it is available.  This will increase the security of these accounts well beyond what even the very best password could.

Difficulty: Intermediate
Active Time: 5 minutes per account
What it Protects You From: Account takeover from password breaches, key loggers, etc.

What is two-factor authentication, you ask?  When this feature is enabled on an online account you will be required to enter a second factor besides your password to login to your account.    If you are logging into a Gmail account, for example, the process will work like this: you enter your username and password as you normally do.  When you click to button to login, a new screen will ask that you enter your unique, six-digit code.  There are several mechanisms for code delivery, but typically it is sent via an SMS (text) message.  When you recieve the text message with the code, you enter it and are granted access to your account.

Each code is only good for one login.  This means that if your username and password are stolen in a data breach, an attacker would still not have access to your account.  He or she would not be able to receive the one-time authentication codes.  This makes your account much, much stronger than an account that is not protected by two-factor authentication.

To set up two-factor authentication you will first need to login to your account.  Specifics vary from service to service, but for most you will have to navigate to your “Account” or “Settings”, and then to the security settings.  Two-factor authentication is sometimes also referred to as multi-factor authentication, two-step verification, or some similar variation.  Next, turn this feature on.  You will receive a test code.  Once you have submitted the test code correctly your account is now protected with two-factor authentication!

Some of the accounts and services that offer two-factor authentication are: Amazon, Bank of America, Blur, Chase Bank, Dropbox, Evernote, Facebook, Gmail/Google, Hotmail/Microsoft, LastPass, Slack, Twitter, and Yahoo! Mail, to name a few.  For a much more comprehensive list of sites that support two-factor, visit https://twofactorauth.org/.

Backup Codes:  The vast majority of services that support two-factor authentication offer you a recovery mechanism called a backup code.  This code is there in case you lose or break your phone.  It is obviously important to save these codes; I recommend doing so in your password manager.  It is unlikely you will ever need to use them but like data backups, it is nice to know they are there.

Like passwords, this is another ongoing task.  Every time you log into an account that you haven’t setup two-factor authentication for, take five minutes and set it up.  Don’t try to do everything all at once (unless you are really motivated).  Just set it up when you are logging into that account anyway.  By this time next week, most of your accounts should be fully protected.

Leave a Reply