A couple of comments from readers in response to an earlier article have highlighted some confusion surrounding 2FA (Two Factor Authentication), also known as 2SA (Two Step Authentication). So, I thought I’d explain the process and why 2FA is essential to protect critical accounts.
What Is 2FA
Two Factor Authentication (2FA) is simply a secondary means of confirming that the person signing in to an account is the legitimate account holder. When creating an online account the general practice is to provide an email address and password which, provided you use a strong and unique password, is fine for non-critical accounts such as signing up on forums or for newsletters, etc. However, when signing up for online accounts where sensitive/financial information is involved, you will often be required to also provide a mobile phone number or secondary email address — that is 2FA.
How Does 2FA Work
If for any reason the account provider suspects that a sign-in attempt has not been initiated by the legitimate account holder, a one-time verification code will then be sent, either by text message to the mobile phone number or in the body of an email message to the secondary email address, as provided by the legitimate account holder. You then input that one-time verification code to confirm you are indeed the legitimate account holder. So, even if your account log-in details have been exposed — by some breach, hack, or other means — unless the hacker has physical access to your phone or secondary email address, they cannot possibly complete the illegal sign-in.
This also provides a warning system for account holders whereby, if they receive an unsolicited message containing an account verification code, they will know that someone has made an illegal attempt to access their account and they can immediately change their password.
Under normal circumstances — that is, if you’re signing in to a critical online account from the same device that is recognized by the account provider — 2FA will not kick in. However, let’s say, for example, you normally sign in from a PC at home using the Edge browser but this one time, for whatever reason, you sign in to that account on a different device using a different browser, you will almost certainly be asked to confirm your identity by imputing a one-time verification code. That, my friends, is 2FA in action.
Why You Should Setup 2FA
In this day and age, we are conducting more and more transactions online necessitating the creation of more and more online accounts and I would think it’s pretty obvious by now from what you’ve read so far that, for critical accounts dealing with sensitive/financial information, 2FA provides an essential additional level of security over and above the basic email address and password. Personally, I don’t have too many accounts that I deem critical but for those several accounts, I always use a unique and very strong password which I then change every six months as well as always setting up 2FA.
We had a story on the news here (in Australia) very recently of a young business person — owner/operator of a hairdressing salon — whose bank account and the bank accounts of her customers were hacked via secondary software designed for taking bookings and deposits. Turns out the young lady in question used a weak password when setting up her account and did not set up 2FA. Lesson learned.
I hope that helps clear up any confusion regarding 2FA, its function in protecting critical accounts, and the reason it should be utilized wherever possible. If you have any questions, please feel free to ask away via the comments.
—
Yeah I think in this day and age everyone needs to enable 2FA for at least critical services I.e financial and important. I’d even recommend it for social media services – it may not seem important but hacked accounts could be used to damage a personal reputation.
However I’d like to add some see it as a silver bullet that will basically stop people’s accounts getting hacked – it might help but it doesn’t stop the original issue e.g. poor passwords, passwords being reused etc.
Cybercriminals are also trying to find ways about this by claiming to be from the service e.g. Apple. They will state their is an issue with the account but they can’t access it to fix it due to the 2FA so they will need to disable it or share the access code
Hey Peter,
I would definitely class social media accounts as “critical”.
The whole system is a total PIA. GOOGLE GETS SIGNED OUT & I CANNOT SIGN BACK IN AS IT CLAIMS MY PW IS WRONG. THEN IT SENDS 6 DIGIT #S THAT I CANT GET ON MY FONE THERE HAS TO BE A BETTER WAY. IF IT WAS UP TO ME I WOULD GET RID OF GOOGLE AS IT HAS TAKEN US OVER