“2FA” can be used as a verb like this “I 2FA’d my accounts” if you like techno-slang. As you come to know what 2FA means and that it’s critical to account security you will be able to worry considerably less about hacks and breaches . Its a big topic and I’m not going to re-explain it here other than to reference key providers of second factor authentication (2FA).
Why 2FA
Passwords are often weak – lets face it – and if there is a breach of your computer that you haven’t detected an encrypted password file can be broken over time. Using 2FA makes means that a password alone can fail to give access. If, later you change your password, hopefully to a strong one and your security is strong you may have averted the worst impacts of a breach from even happening.
Use an Authenticator Application
First – just accept this will be inconvenient – but for email, it isn’t a daily thing. Your second factor of authentication may be needed as infrequently once monthly or quarterly. When you use many online or web based applications your browser remains logged in without requesting another authentication each time. That makes it far easier to work with than you might expect. Maybe trusting your email and account data to Google is not the best for privacy but that’s another decision towards deeper security that needs more time. Most people have to find the balance between privacy and convenience and it is just a reality that we will trust a lot to our email and search providers. If we don’t do security well now we end up doing it later once we lose control and pay the price if we get a breach and misuse of our our accounts.
A good authentication application is keeping information protected in your device. This means that your device becomes very important to retain access to. [Security Tip 3a#] I have an old phone without a sim card and mostly kept in “Airplane” or offline/non-WiFi mode just to run Google Authenticator. This means I also just leave it in the office you can also encrypt and protect it further if you worry that it will be stolen from there.
I also use Microsoft Authenticator for the Microsoft account as that seems best for their accounts. My trust in any 2FA software tools takes years to develop. I used the google authenticator app for many years so I can recommend that one. It’s probably better to us any type of 2FA than none. Even using a phone call or sms is better than no 2FA. Any secondary factor that relies on your phone number has now introduced the risk of having your phone cloned by hackers in order to breach 2FA.
What about Authy for 2FA
You’ll find reviews misleading – for example “As for which app to use, Google Authenticator offers a barebones experience backed by a company with a sterling security record, while Authy offers more features, like being able to pull codes from not just your smartphone but your desktop or tablet.” However, “more options” doesn’t mean more secure when it comes to 2FA. What if you put it on your desktop … and that is where you get hacked? Then the 2FA may fall into the hands of the attacker so it isn’t so much of a 2FA device. My 2FA device is offline so I can know its not accessible via obvious attacks. Tablets CAN use Google Authenticator – Android, iPad – i’ve used it that way. What is a phone that is off the internet, with no sim card, like my authentication phone … its just a tablet isn’t it? If you choose to use Authy or any provider you should check their history and find reviews that are honest and not mere marketing masquerading as “independent security reviews”.
What is a “critical account” that should have 2FA? Do I need to use 2FA everywhere.
Anything involving payments, or unlocking accounts with “forgot my password” such as email – definitely critical. Anything that is SSO – single sign on – like google, facebook, twitter that you might use to gain access to websites is similar to email. I have to admit I use SSO for access to many shopping websites and that means that if you get into my gmail account you could use my credit card to buy things without even providing the security code.
Financial Apps and Websites that have 2FA baked in
This is not a shameless plug – it is an example to help understand how ubiquitous 2FA is getting. You can limited exposure to risk of credit card by using an in-between service such as Wise. Wise offer a pre-loaded Debit card to limit how websites that take your card number from pulling money directly from your bank. Stolen CC numbers may not be able to abuse your card. I don’t mind recommending Wise because it gives the fairest exchange rates that I’ve seen – it legitimately saves me a lot of money and makes travel easier. Using the Wise App with a debit is an example of better credit card security. Wise has 2FA built in – you put the Wise app on your phone and then you have to authenticate with the app that before login access works. On the phone the App has a pin code. This is a trend as many banks will now enforce some kind of 2FA or nag you to add it.