Everything you need to know about 2FA

What is 2FA

Traditionally, you will enter your email address and your password and you are in your account.

2FA (or second-factor authentication) is an extra layer of security used to secure and access your account. It comes in place, usually, after you've entered your first set of credentials, a popup or another screen will appear asking for a code or token.

Generally speaking, 2FA is a generated unique code, consisting of digits (usually 6 digits) which you receive via an SMS or an application that deals with generating a code for you.

What happens behind the scenes, is that the server you are logging into sees that your initial credentials (email + password combination) are successful, it will generate a unique code that will be, temporarily, associated with your account.

After you receive your unique code, you usually have around 5 minutes to enter the code and get in. Otherwise, the login will fail and you'll either have to request a new unique code or you'll have to start over.

Types of 2FA

2FA comes in different flavors, each of them unique in its way of giving you that extra layer of security.

SMS OTP

This is a form of 2FA method where an OTP (one-time password) is generated and sent to a user's phone via SMS, after successfully entering his user and password.

This method is nowadays used by banks, insurances or online retailers.

In the recent years, more and more companies are switching from SMS to other types of 2FA, as this method is considered insecure and it should be avoided.

TOTP (Timed-OTP)

This is considered to be at the moment the most popular amongst the types of 2FA that people are using.

How TOTP works is that you usually are being generated a secret key, as part of your account, that you have to enter (or scanning a QR Code) in app that you install on your phone.

Apps that make use of those secret keys like Google Authenticator, Authy or 1Password's built-in OTP offer a way to store those secret keys per account and it will show you a newly generated OTP every 30 seconds.

This method is considered more secure than SMS.

Push-Based OTP

This method is a bit more elegant and easier than the previous ones as it only requires you, like in the case on TOTP, scanning a QR Code.

The difference with push notification OTP is that you don't have to enter any codes where you have to login as a second step, but instead you get a notification from the app letting you know if you are the one requesting a new login, to either approve or deny the current login.

The most popular apps supporting this feature are Authy and Duo.

As technology advances and there's a growing trend to go with passwordless logins, more and more companies will integrate the push notifications.

From a security point of view, you might think why would a notification be safer than a manual input OTP code. Well, the thought process of the push notification is that nowadays almost all of us have some sort of security setup on our phone (I hope you do, if not, do it now, please!) in the form of passphrase, finger print or Face ID to unlock your phone. This would be considered a step that would require your physical attention and it's much harder to get hacked in this way.

Fido U2F (Security keys)

This is a standard that I would like to get more attention as it beats all the previous methods in terms of security.

U2F, or Universal 2 FA, is a physical key (in a form of a smart card) that you have to connect either through USB or NFC to get your extra layer of security. One of the most popular U2F keys is YubiKey and recently also Google created its own flavor.

How these security keys work is, after logging with your user and password, you will need to physically plug the security key in your laptop or put the key closer to get connected via NFC and you need to tap a button (in the case of YubiKey) and this will generate a token that will log you in.

What is interesting about security keys like YubiKey is that it doesn't generate a short, like a 6 digit or alphanumerical token, but instead it generates a 32 character token, which is much harder to crack as in the case of OTP.

One other thing is that you don't need to manually enter the code yourself, but while touching the button that you have on your key, it will generate the code itself and input it for you.

Another advantage is that you don't need an app on your phone, but only have your key at your disposal.

YubiKey is pretty solid from a physical point of view, so you can put the key on your keychain and don't have you worry about it getting scratched or something.

Why is 2FA so important

So why am I talking about all these different 2FA in the first place?

Passwords are still bad

Well, as time passed, we as human beings are pretty bad at remembering complex passwords and we rely on our brain to make up an easy to remember password.

One of the problems with this is that we keep recycling these passwords which makes it easy for hackers to hack your account if by any chance your password was disclosed in a previous hack that you might have not been aware of.

So your alternative is you use a password manager instead.

Password recycling

The other problem is that even if you do have a unique and hard to guess password, that won't be enough as if by any chance, your account is hacked, the hacker would just use your credentials and it would get immediate access.

2FA makes hackers' life harder as even if your account is compromised, a hacker would need that second layer of security to get into your account.

There are millions of passwords out there in the open and hackers are getting smarter and smarter to hack accounts.

Even though some of these 2FA methods are less secure than others, make no mistake, having some sort of 2FA is still better than nothing. Even the old school 2FA method to enter your first pet's name is better than nothing (although this has been proven to be also pretty insecure, so I don't recommend it).

Nobody likes to complicate their lives with 2FA, but it's always a good feeling that your account is safer than vulnerable. Although you might deny it if for some reason your Facebook account would get compromised, I think you would mind if someone starts posting garbage in your news feed on your behalf, wouldn't you?

So, let's get to work.

How to secure your accounts with 2FA

If you haven't set up 2FA on any of your accounts before, this will be a bit laborious, as you'll have to dig through all your accounts, log in, find the appropriate settings and turn your 2FA on.

Fortunately, there are a couple of options that you help your ease your pain and take you directly to the source of the setup.

Authy has quite nice guides on how to set up 2FA to a lot of popular websites.

Another option is Two Factor Auth.

What is the best 2FA method

If you have a preference, go for the TOTP or YubiKey (security key).

I use 1Password's builtin OTP for most websites and for the ones supporting u2F, I use YubiKey.

Photo by Yura Fresh on Unsplash