Two factor authentication, or 2FA for short, is an additional layer of security that I recommend adding to your most precious internet accounts e.g. your email account, password managers and banks for example. 2FA can also be called ‘multifactor authentication’. Securing a web account with just a password ‘should’ be ok, but we have seen so many times where security has been implemented badly and passwords are weak or leaked. A recent example of this was in May 2018 when Twitter asked all of its 300+ million users to change their passwords, after it established that their event logging system was recording passwords in clear text before the passwords had been encrypted. It was an internal event logging system, so Twitter recommended a password update as a precaution… just in case!
What 2FA does is it prompts for an additional security code rather than just relying on a password (something you know). 2FA can be achieved with a soft or hard token (something you have) or using a finger print (something you are). A soft token is software that is installed on something you have (phone), whereas a hard token is a device that’s sole job (a key fob). Both types of token display a set of number used in addition to your password to login.
A popular soft token is Google Authenticator, which uses a time based one-time password algorithm and can be installed on a mobile, so you always have it with you, (if you have your mobile with you). Hard tokens provide additional security being a physical device rather than software, so it’s a combination of something you have (physical) as well as something you know (password). Yubikey is an example of a hard token, they make the authentication process quicker as you don’t have to type in any numbers, just touch the token, but you must have it with you and the devices typically cost between £20 and £60 compared to Google Authenticator which is free.
Some websites use SMS text for their two-factor authentication. If there is an option to choose SMS or Google Authenticator… choose Google Authenticator! The mobile networks have no authentication or encryption, so it is possible for mobile numbers and texts to be intercepted or spoofed, but having said that, the extra security that two-factor SMS provides compared to just a password is better!
It’s fairly easy to set up 2FA; start by installing the Google Authenticator app to your mobile then if you have a Google account, follow their set-up guide https://www.google.com/landing/2step/ . For other accounts you could use https://www.turnon2fa.com/tutorials/ which has collated a list of the most popular sites enabled for 2FA.