Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is a feature that websites offer that make it harder for hackers to break into your account. Enable 2FA on critical websites.

Problem

When you log into a website, you usually use your 1) your email address or username and 2) a password. Your password is a shared secret that only you and the website know. When you use this secret password with a website, it knows you must be who you say you are, because nobody else knows the password.

Diagram of a user logging into a website with an email address and password.

Sometimes this password doesn’t always stay a secret. If you use an easy-to-guess password, or hackers break into the website and get access to the passwords, other people can pretend to be you.

Hackers are continuing to get access to private data, including passwords, at an alarming rate. In 2018 an estimated 4.5 billion records were breached from websites. In 2019 an estimated 2.7 billion identifying records were posted on the web for sale 1. In 2020 due to the global COVID-19 crisis, attackers are focusing more on health-care data at an even larger scale 2.

For vital services like online government portals or email accounts, you may need additional security that a password alone cannot provide.

Solution

Today, many websites give you the option of identifying yourself not just using a secret password but also with your phone. Once you log in with your password, you would then use an app on your phone that shows a six-digit code and type it into the website. The website matches this code to you. Only someone with your phone can log into the website. Even if a hacker guesses your password or hacks the website’s passwords, it is unlikely that they will also have access to your phone.

Diagram of a user logging into a website with not just an email and password but also a one-time code from their phone.

A password is something you know. A phone is something you have. By setting up a website to only recognize you based on both something you know and something you have, you are using two-factor authentication (2FA). The first factor is your password, and the second factor is your phone. Some websites also refer to 2FA as two-factor verification.

Examples of how to use 2FA

When you search online for how to enable 2FA, you will usually find easy-to-follow instructions. For example:

When you enable 2FA also print out backup codes that the website gives you. This will let you log in even if you forget or lose your phone. 3 4

Footnotes

These are references made during the article.


  1. https://en.wikipedia.org/wiki/List_of_data_breaches ↩︎

  2. https://securityboulevard.com/2020/04/a-round-up-of-data-breaches-in-march-2020/ ↩︎

  3. Colnago, Jessica, et al. "‘It’s not actually that horrible’ Exploring Adoption of Two-Factor Authentication at a University." Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems. 2018.

    • In 2018, Google reported than less than 10% of users use 2FA
    • In 2016, Dropbox reported less than 1% of users use 2FA.
    • “those who have never used 2FA are likely to perceive it as more difficult to use than it actually is”
    • Users afraid of losing phone and not being able to log in again
    • If account not perceived as high-security then users don’t think it is worth it.
    • Researchers’ recommendations
      • Deploy 2FA incrementally, only start with systems where security benefits outweigh costs
      • Provide clear instructions on how to use, and simple steps for avoiding lockout and what to do if locked out
      • Convince users that 2FA is valuable and easy to use.
    ↩︎
  4. Reese, Ken et al. “A Usability Study of Five Two-Factor Authentication Methods." SOUPS @ USENIX Security Symposium (2019).

    • “However, about one-third of the participants reported an instance of not having their second-factor device immediately available when they needed it.”
    • Two thirds of participants using TOTP had a problem typing it in before timeout
    • 25% of participants felt like backup codes are just another password, did not understand
    ↩︎