“Two-factor authentication.” It’s an ugly term for something that needs to be in your daily life.
But you also need to know its limitations.
First, though, let’s start with something more basic: What is two-factor authentication? It’s where you log into a website or app and, once you type in your password, you’re prompted to do something else, like enter a six-digit code or tap a pop-up on your phone.
With two-factor, hackers need both your password and access to your phone or other “second factor” to break in. If you regularly log into Facebook , Gmail, banking and other accounts with just a password, you have a security hole.
Two-factor is generally easy to turn on. Every online service worth its salt has the option in its settings, though you may have to dig. (Doing a Google search for “two-factor authentication” and then the website or app’s name generally directs you to the setting, or to a how-to page about it.) And once you’re logged in, it generally won’t keep bugging you for that second factor, unless you log out manually or the service senses unusual account behavior.
However—and this is where it gets confusing—there are three main flavors of two-factor authentications, and each has its own unique concerns. Here’s a closer look:
Text messages (aka SMS): When you put in your password, a text message is sent to the phone number that the service has on file for you. You type in the code and you’re on your merry way. It’s super simple, and if the service already has your digits, it requires zero setup.
However, someone could steal your phone number. Reports of phone-number hijacking are on the rise, according to the Federal Trade Commission.
It’s not as if phone accounts are unsecured, but they can be vulnerable to “social engineering,” formerly known as con artistry: A panicked person turns up at the carrier’s store without phone or ID, asking to shut down a “stolen” phone and activate a new one, for instance.
There are less Oscar-worthy ways of fooling a carrier, too. Hackers might also be able to take possession of your phone number by gaining access to your online carrier account or even your email. (This is why you need two-factor authentication turned on everywhere in the first place!)
The carriers say they’re aware of such problems and are working on them.
“The wireless industry and other stakeholders continue to make two-factor authentication more secure,” says John Marinho, vice president of cybersecurity and technology at CTIA, the cellular carrier industry association.
So, should you be concerned about using SMS if it’s your only two-factor option?
“If you’re not a high-value target, it’s probably not something to worry about,” says Sanjay Goel, associate professor at the information-technology management department at SUNY Albany, and director of the New York state Center for Information Forensics and Assurance.
But if you are someone who may be targeted by hackers for political, financial or other reasons, he says, “I would definitely suggest using something other than SMS.”
Indeed, the recent Equifax Inc. data breach may provide hackers with even more ways to steal people’s identities. Personal information exposed in the breach of the credit-reporting giant included Social Security numbers, birth dates and addresses of roughly 143 million U.S. consumers.
Apps: Additional security is available through the apps of the biggest online players, such as Google, Apple and Amazon . If you log into the Google search app on your smartphone, it starts working as your second factor: When you try signing on to Google on a new computer, you’ll get a message on your phone.
Apple recently overhauled its two-factor system, and now you can go into your Apple ID settings and identify “trusted devices” that can be used to authenticate you.
Facebook steers users away from SMS. If you log in on a new device or browser, it will direct you to the code generator inside the Facebook app on your phone. SMS texts are still offered, but only as a backup option.
Some companies rely on third-party apps, such as Symantec ’s VIP Access and Google’s Authenticator, which all work pretty much the same. If you turn on two-factor for your Amazon account, for instance, the website will display a QR code on screen. Launch one of the authentication apps just mentioned, scan the code, and that app will provide you with ever-changing codes for your Amazon logins.
Not only are such apps inherently safer—as are those of Facebook and Google, as well as Apple’s built-in authentication—they’re safe inside your smartphone. Text messages by default appear on your locked screen—but with apps, you have to unlock the phone to make the two-factor work. (If your phone isn’t protected by your fingerprint or at least a passcode, we need to have a serious talk.) Just don’t lose your phone!
My advice would be to make two devices your “trusted” ones, say a phone and an iPad, so that if you lose one, you can still log in using the other.
Services usually offer backup measures, too, such as the print-and-save recovery codes that are provided by Google and Facebook.
Keychains and USB dongles: It’s one of the oldest types of second factor: a keychain with a tiny LCD screen generating a new second-factor code every 60 seconds, according to some divine plan that hackers can’t guess. A modern version of this is a USB key such as YubiKey, which transmits the codes from your computer or compatible mobile device directly to online services.
Dongles such as these are considered very safe. And with YubiKey, you could even eliminate the minor hassle of typing in a code you read from your phone’s screen. On the downside, dongles are easier to lose than phones, and setup can often be a multistep process.
People don’t want to stress out over security, they just want it to work, says Dr. Goel.
“If you make technology adoption too hard for people, they’re not going to do it,” he says.
Super important final advice: There’s one more thing you need to know: Don’t ever tell someone the second-factor code, or tap OK on the app because someone tells you to.
If you yourself aren’t trying to log in, if people from “customer service” call and say to do it, they are social engineers…that is, con artists.