You Need Two-Factor Authentification, but Some Types Are Safer Than Others

Authentication applications are more commonly supported than security keys, which provide the highest level of protection. If at all possible, stay away from text message codes.

Cybercrime is on the rise, and a strong password isn't enough to keep your money, work, and family safe. A second factor is required to secure your accounts from more aggressive bad actors.

More and more websites are implementing two-factor authentication, which requires entering a code after entering your password. It's like having a door with numerous locks if you require that second factor: Even if a burglar obtains one key, the door is secured with a second lock.

Different methods of two-factor authentication exist, each with its own set of security and convenience considerations. Here’s a guide to different options, and what you need to know to protect your digital life.?

Use Unique Passwords?

Examine your passwords before enabling two-factor authentication. How frequently do you reuse them? Criminals frequently utilize usernames and passwords obtained from one breach to attempt them on different websites.

For each of your accounts, use a password manager to generate—and remember—long, unique passwords. I recommend starting with the free manager included in your browser or operating system for the less tech-savvy. Changing all of your credentials if you use a lot of online services can be a time-consuming and unpleasant chore. But it's worthwhile, especially if your previous credentials have already been compromised. (Check out haveibeenpwned.com, which just asks for your email or phone number rather than your passwords.)

Turn on two-factor authentication once your passwords have been reinforced. Not many services enable it, and those that do tend to bury it in settings, usually under the "account" or "security" sections. Assess your alternatives once you've found it. Some providers let you choose from a variety of authentication methods and even set up several backups.

Security Keys: The Most Protection?

One type of two-factor authentication is security keys. They're small dongles that you can clip to your keychain or plug into your computer. They may be used to log in to a variety of prominent websites, including Google, Facebook, and most password managers.

The following is an example of a laptop-based workflow: Enter your login and password on a website or app, then plug your key into the computer's port when requested. The authentication is triggered by touching the gold tip or disc of the key. You can obtain keys with wireless alternatives, such as near-field communication (NFC), for a smartphone or tablet, so you don't have to insert the key.

According to Ryan Noon, CEO of the security firm Material Security, security keys are the most secure factor you can utilize to protect your account. He explained that instead of remote access to a string of digits, a hacker would need both the password and physical access to the security key to log in.

Consider setting up a security key for accounts that support it if you're at a higher risk—perhaps you're an executive, an administrator who maintains sensitive data, a social media influencer, or a high-net-worth individual.

For years, I've used Yubico's keys, which start at $25. They're tiny, dependable, and well-known. (Employees at Google and Twitter are given Yubico keys.) A $60 Nano hooked into your primary laptop while in a trusted area, such as a home office, and a $55 NFC-enabled key on a keychain for usage on the move is the most user-friendly solution. If the "Do not ask again on this device" option is present when you log in, you won't have to engage with the security key much.

There are certain restrictions. Mr. Noon stated, "Security keys can be a tremendous pain in the buttocks to handle for enterprises and people." When people misplace their keys, they risk losing access to their accounts. Some accounts allow you to print a set of single-use access codes in case of emergency, but it's always a good idea to buy and register a backup.

Authentication Apps: Free and Convenient

For many accounts and services, you can use a single authentication app. Twilio's Authy appeals to me because of its simple UI and ability to give codes on both desktop and mobile devices. To prevent attackers from enrolling unauthorized devices using a hijacked mobile number, need a fingerprint or face ID to use the app, and disable "Allow Multi-Device."

Just make sure you only enter the code when your service asks for it and don't provide it to a malicious website by accident. Do not click the link inside an email or text message that asks you to log into a service you use. Instead, go to your favorite website or app and log in directly.

Push notifications are used in several app-based authentication scenarios. In rare situations, hackers can utilize a multi-notification assault in the hopes that a user will mistakenly hit "allow" on one of them, thus always read before you tap.

Text-Message Codes: Use With Caution?

The code delivered by text message is one of the most well-known methods of two-factor authentication. For the most part, any additional authentication is preferable to a login and password. Nonetheless, you must be aware of this method's flaw.

Criminals use "SIM switching" to steal a victim's phone number by convincing the carrier to port the number to a new account. According to the Federal Bureau of Investigation, these types of assaults are on the rise, but they are typically targeted attacks in which hackers know who they are seeking and what they may steal. People with large bank accounts or cryptocurrency wallets are prime targets.

If at all possible, avoid utilizing SMS-based two-factor authentication. However, for other services, it is the sole option. Log into your carrier account and look over the security options to secure your phone number. Some may even let you add a passcode, which is essential if the number is attempted to be ported.

Make sure your accounts are protected by more than a lousy, recycled password, whatever you choose.

For more than 20 years, Jeffrey has been defending business owners and their assets from cybercriminals. To speak with an expert security technician, contact RCS Professional Services or visit our website www.rcsprofessional.com to learn how we can help you.