Two-factor Authentication (2FA)

by | Jul 15, 2022 | 1 comment

Let’s start with the single most important thing you can do to protect any of your online accounts — using two-factor authentication (2FA). Sometimes called multifactor authentication (MFA), enabling it is easy to do, and you probably already use it for at least one of your accounts. If your bank texts you a code to enter after you’ve already entered your username and password, or has you open an app to approve your login, congratulations — you’re already using 2FA! 

File:Electronic Frontier Foundation video conferencing background 01.png -  Wikimedia Commons
2FA is the easiest and best action you can take to secure any online account

Your phone number or app (verifying the person with the number/device is the same person that knows that password) is the second factor (the first factor is your password).

What is two-factor authentication?

Two-factor authentication means using two secrets to access your account. For example, rather than just a password, you use a password plus a code texted to you.

Some services don’t let you choose what second factor you use. Many social networks and more tech-forward companies will let you use a phone number, a TOTP code (the kind you generate with an app), or a security key. These are listed in order of security — security keys are most secure, followed by one-time use codes (generated by an app) and finally SMS (text) codes. With that said, even SMS codes are drastically more secure than using a password alone.

This image shows popular authentication methods on a scale from good to best

SMS (text) codes

Text codes are much better than nothing, and for the vast majority of people the vast majority of the time, they work fine. They have two major vulnerabilities, however.

The first is that bad guys can steal your phone number. They can do this by calling your mobile provider with some of your information and pretending they want to transfer their phone to a new number. After they have your number, they use your password (which they usually get in a leak or via other methods) and the text code they can now get to steal your account. Ensure you know your mobile provider’s security questions or PIN for your account, and make them hard to guess or find online.

It’s also possible hack phone networks to steal or intercept texts to your number. This used to be rare but there are a number of companies rising up to make this easier. There’s not much you can do to stop this other than not using SMS messages as a two-factor method.

SMS text messages were already the weakest link securing just about anything online […] Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users.

Brian Krebs, security researcher

The second problem with text codes is phishing. We’re going to talk about phishing a little later. For now, know that someone trying to trick you into providing them private information, like your credit card number or password, is phishing.

Can bad guys really manipulate your cell phone carrier into letting them steal your phone number?

You got it — here’s just one example.

Unfortunately, it’s true. Here’s just one example.

TOTP (app-generated) codes

Time-based One-time Passwords (TOTP) work similarly to text codes. Usually, you use an app to get your one-time code, and the code will change every minute or so. When you enable TOTP codes to protect your account, computers do some crazy math stuff to generate security keys based on time. Put simply, each side of the login process (the server and your TOTP app) use an algorithm to figure out a special number based on the current time. When you try to log in, you compare your number to the number the server has, and if they match, you are allowed to in.

This allows you to avoid the types of hacks that can affect mobile carriers – there’s no middleman. These codes also work completely offline. Neither side needs a connection to the internet to work.

photo of physical TOTP device
TOTP codes predate smartphones – they used to come on little dongles like this one used by World of Warcraft players.

Again, though, this doesn’t help you against phishing attacks. Phishing is the most common threat you’re going to face — you’ve likely seen it before in your spam box — and attackers are only getting more sophisticated. What can you do?

Let’s do a deep dive into phishing and the one two-factor method that can help you prevent it entirely.

SMS codes can be hacked. Are SMS codes more secure that not using two-factor auth at all?

Correct! Even though it’s flawed, SMS-based two-factor auth is still an additional layer of security that can repel many attackers.

Not quite. Even though it’s flawed, SMS-based two-factor auth is still an additional layer of security that can repel many attackers. It’s much riskier to rely on a password alone vs. SMS 2FA plus your password.

The above content is part of a course on If you login, you’ll see quizzes and links to other lessons in the course.