Tuesday, April 4, 2023
What is 2-Factor Authentication?
When using online services, 2-factor authentication (2FA), 2-step verification (2SV), or Multi-factor authentication (MFA) adds an extra layer of security. The National Cyber Security Centre (NCSC) described it as "double checking" that it is you attempting to access your services such as emails, banking, and social media.
When you first set up 2FA, the service you are intending to access will ask you to complete an "additional stage," which is usually a code that only you (and you alone) have access to. The code is the sent to you via email, text message, or, in some cases, generated by an app.
Do I need to use 2FA?
While passwords provide one layer of security, cyber criminals have ways of gaining access to them, potentially giving them access to your online accounts. By enabling 2FA, your accounts require an additional verification to prove that it is you, so even if they gain access to your passwords, they will not be able to access that account.
The NCSC recommends that you set up 2FA on your important accounts, those that you place a high value on and require protection.
Consider which accounts would be harmed if a hacker obtained your passwords.
Email accounts should be secured because if cyber criminals gain access to your inbox, they may be able to gain access to all of your other accounts by resetting all of your passwords.
Different types of 2FA
As mentioned earlier, when you initially set up 2FA, you’ll require a “second step” to access your accounts. Ways this can be set up include:
- Phone Number
This tends to be the default 2FA set up by most services. When you first set up the account, you’ll be asked to provide a phone number and this will be your primary number the service sends a code to. If you prefer a call, the service will voice call you on your number and provide the code this way. However, you will need to have access to mobile data or Wi-Fi to get the code, and if you've completely lost your device, you may not be able to recover your account; it all depends on the service provider.
Whilst text messages may not be the most secure type of 2FA, it’s better than having nothing.
- Authenticator Apps
Authenticator apps, which are downloaded onto your device, are one of the most common 2FA alternatives. Google Authenticator and Microsoft Authenticator are two examples. Once installed, the app allows you to create an unlimited number of accounts and generate unique codes for each one. The codes reset themselves at timed intervals to manage security and offer advantages over text messages in that there is no need to wait for a call or text message, and they still work if there is no mobile signal or you are not connected to Wi-Fi.
- Backup Codes
Back up codes allow you to gain access to your account if you are unable to gain access another way and are provided by some services. Each code can only be used once, and once you've used up all of the codes provided, you'll have to create more. This option provides a good alternative if you don't have your device and can't use the previous two options.
It is critical that these backup codes are stored safely and securely.
- Security Keys
Security keys are physical keys that a user enters into a USB drive or connects to via Bluetooth to gain account access. The security keys are configured for 2FA and will authenticate the user without requiring any codes to be entered. Because the private code is stored on the key rather than transmitted over the internet, the keys are not vulnerable to phishing attacks and are considered one of the most secure methods of authentication.
While these are the most commonly used two-factors across the industry, some services may provide alternatives. For example, you may be able to use email verification if the email address is different from the one used for password reset, whereas some services simply require you to provide your permission to log in.
Although these options provide an additional layer of security for your accounts, it is also pivotal that you have a backup plan in place in case any problems prevent you from using your usual method. Backup codes are ideal in this situation because they can be used even if your device or key is lost.
Setting up 2FA
There are some services which will already have 2FA enabled. However, most sites won’t and if it is required then you need to switch it on manually to get that added layer of protection. If the service does offer 2FA, you will usually find this in the settings, under security or two-factor authentication settings. Services may differ on how this is presented, so if you are stuck we’d recommend using the help section.
Do I need to use 2FA all the time?
No, you will only be required to use 2FA when it is critical and the service wants to ensure it is you and not a dreaded hacker. For example, when you request a password change, log into your account from a new device, add a new payee to your banking app, or do anything else that involves sensitive information being obtained. If your device prompts you for 2FA every time you log in, try selecting the option that "remembers your device or browser" if it is available.
Only select remember me if you are using your own device; you should not do this on any shared or public devices.
My service doesn’t offer 2FA
If your service provider does not yet provide 2FA, you must ensure that your password is strong, secure, and unique. Using three random words that are memorable to you and being creative with them is a good way to do this. Look at one of our recent blogs for more information on passwords and our recommended best practises: Why Passwords Matter
Key Tips
At MMS, we always recommend that you use the most secure option available to you and your company. But keep in mind:
- Always enable 2FA whenever possible;
- Memorable information or security questions do not provide the same level of security; and
- Keep your 2FA devices secure.
We hope you found the information in this blog useful, but if you’d like to learn more?
Click here for more information on the cyber-security services we offer.
