Need to know
- Passwords aren't as secure as you might think.
- Adding two-factor authentication or two-step verification adds an extra layer of security to your accounts.
- There are a variety of two-step security options available.
Passwords aren't hard for criminals to get around. Once they do, they can potentially access your personal information, email, banking accounts or credit card details, among other things.
Two-factor authentication (2FA) and two-step verification (2SV) make your accounts significantly more secure, often without much extra effort, thanks in part to the proliferation of smartphones.
Why do I need two-factor authentication?
Because passwords aren't as strong as you think.
A password is a single layer of authentication that's vulnerable to phishing, brute force attacks, data breaches, and social hacking, to name a few common work-arounds. (See types of password attacks for more information.)
Worse, if you use the same password for several services, cracking one gives access to them all.
Two-factor authentication provides an extra layer of security as your password alone is no longer enough to log in to your account.
Common two-step security options
Smartphones have revolutionised two-factor authentication and two-step verification. They support most of the popular options, and are incredibly useful as most of us are rarely far from our phone.
Some authentication and verification methods are faster or more convenient than others, and some far more secure.
To find out what options you can use, do a web search for the name of the website or service you want to lock down, plus the words "two factor authentication", "two step verification" or their acronyms.
Free apps, such as Google Authenticator or LastPass Authenticator, are one of the best trade-offs between security and ease of use.
Once linked to an account, the app generates a new number code every thirty seconds or so. When prompted, open your authenticator app and punch in the current number for the appropriate service.
Some make it easier by letting you hit an "authenticate" button that sends the number code directly to the service.
It only takes a few seconds and is extremely hard for hackers to crack.
Some websites or services make you use their own proprietary authenticator app, so you might end up with multiple ones on your phone. Drop them all into the same folder for ease of access.
Google Authenticator generates a code to use when logging on to an online service.
Secret questions are usually for recovering forgotten
passwords, and they aren't very secure. If you pick a personal question – such
as your mother's maiden name – you're vulnerable to social hacking from anyone
who clicks "forgot my password".
As with passwords, some PINs are more common than others, leaving you open to brute force attacks. If your PIN is an important date or number to you, or a niche-famous number from TV/movies such as 1701 (a Star Trek reference), social hacking is another a concern.
When signing into an account, you'll receive a one-time code
SMS messaging is one of the least effective security
options. Scammers can fool your provider into porting your number to a new SIM card
or provider so they receive the security SMS codes, instead of you.
Another concern – if your SMS notifications show up on your
phone's lock screen, it may be possible for someone to see the code without
unlocking it, assuming they have your phone in their possession.
Instant messaging (IM) service verification
This is more secure than an SMS because your IM account is
harder to steal than your phone number. A scammer needs to hack your IM account
first before you're compromised. If that IM account is locked with an effective
second step, you should be pretty safe.
As with SMS, if your IM notifications display on your lock screen, someone with your phone might be able to see any code sent to you.
You'll get a one-use code via email. The only likely way for a criminal to get this is if they've already hacked your email account. If your email account is locked down with second-step security, this can be a safe and easy method.
If your email notifications pop up on your phone's lock screen, the code may be visible without unlocking the phone.
USB security keys such as the YubiKey 5 with NFC help simplify the two-step sign-in process.
USB security key authentication
Dedicated USB security keys were once for governments and
corporations, but some companies such as Yubico are making them for the public.
When prompted, plug the key into a USB port and your sign-in will be complete.
Security keys are extremely safe – they can't be hacked
remotely, the unique code they use changes every time they're used, and newer
models have a sensor that detects if a human is touching it – something bots
would struggle to emulate.
Sometimes you can skip the password altogether and just use
the key as your only authentication step, though this is still pretty rare.
You can also make your own DIY security key out of a USB
stick and special software. This is complicated to do and the better programs
for it cost money.
However, while extremely hard to crack, USB keys are easy to
lose and fiddly if your USB ports are occupied or awkwardly-located, and
limiting if your security key doesn't work with your phone.
It's also tempting to leave them plugged into a laptop,
tablet or phone to make life easier for yourself. But if you then lose that device,
whoever finds it has the key.
What if I lose my authentication device?
Whether you're using an authentication app, fingerprint ID,
or some other 2FA or 2SV method, there are usually ways to recover your log-in
information if you lose access.
Authentication apps often give you a code, or list of codes,
to write down when you first sign up. Keep these handy if you want to be able
to recover any lost sign-in info.
Other methods, such as a fingerprint ID, might have a
less-secure fall back such as a PIN or secret question-style "I forgot my
Any system you sign up to use should have information as to
how to recover accounts if you lose access to your authentication or
verification information. If you're worried about losing access, be sure to
check up on them before diving in.
Phishing tricks you into giving up personal information, login names and passwords. This can be done in a number of ways, and can even fool hardened security veterans.
Brute force attacks
One of the more basic forms of account cracking, brute force attacks make thousands of educated guesses as quickly as possible. They tend to try common passwords first such as "123456", "password1" and "iloveyou", as well as countless more, before moving on to dictionary words and common phrases.
Having a strong, unique password is good insurance against a brute force attack, but it's no substitute for 2FA or 2SV.
Hackers may target the service, company or website you have an account with. They can steal your login name and password from online databases, then sign in from a remote location. Everyone from small websites to goliaths like Facebook can suffer data breaches.
How open are your social media accounts? Social hacking is when someone looks up your publicly-available information, such as what you or people you know list on social media, and uses it to crack your accounts.
If your password includes something personal such as the name of a family member or pet, it can be guessed after a little research.