Easy Two-Factor Authentication: A Simple Guide to Prevent Disaster

a golden padlock sitting on top of a keyboard

2FA is one of the most boring AND important things you need to know to prevent hackers from using your login. This is your guide to easy two-factor authentication before it’s too late.

For brevity, I will refer to Two-Factor Authentication or Two-Step Verification as 2FA.

Why should you use 2FA?

Doing a bit of research, there actually seems to be more searching for how to disable 2FA rather than enabling it, which I can only explain by people not realizing the disastrous, uncertain consequences if a hacker succeeds in taking over one of your important accounts.

Just to mention a few of the things a hacker can do:

  • Buy things on your credit card.
  • Open accounts in your name.
  • Use your identity for criminal purposes, e.g. supporting terror or illegal drugs.
  • Access your health and medical information.
  • Send messages to your network, who thinks it’s you.
  • Leak your private photos.
  • See your chat history.
  • Track your whereabouts through location history.
  • Delete important files or information that you will never recover.
  • Get access to other accounts, e.g. on your work.

I realize lazy people will have a hard time doing an additional step to log in, but I can assure you that the few extra seconds will be a lot better than the headache of getting one of your important accounts compromised.

What is 2FA in simple terms?

I really wish technical people would come up with, well… names that sounded a lot less technical for things that are vitally important for everyone. Googling Two-Factor Authentication (2FA), you will bump into terms like tokens, factors, credentials, security management system, zero trust security model, brute-force attack, key fob, OTP… Come on!

Simply put, 2FA is two locks on your “door” with two different types of keys.

This means using two different login methods instead of one.

A classic example of this is using your own password for the first lock and a code sent to your phone for the second lock. Notice that two of your own passwords will not be 2FA, since it’s not two different login types. It doesn’t take a statistician to realize it’s safer to use two locks rather than one.

Where should you use 2FA?

Ideally, you should use 2FA everywhere, but let’s be real. On some less important accounts, you may opt for just using a regular password for convenience. Some accounts are much more important than others.

These are my recommendations on where you should use 2FA:

Mandatory

Email: Your e-mail, which is the gateway to other accounts if you want to reset your password and your private correspondence that may include login information.

Bank and Public: Your bank- and other financial accounts including logins to public administration, i.e. your health journals and social security info.

Big Tech: Logins to all things Google, Apple, Microsoft, Amazon, and Facebook. These logins contain access to a lot of the activities you do online, including other passwords, GPS, credit cards, browsing history, and purchases. They can also be used to login on 3rd party sites.

Important

Social media: Separate logins to your social media accounts. These accounts are frequently targeted by hackers.

Subscriptions: Subscriptions like Netflix and Spotify.

Digital stores: Digital stores, where you have bought a lot of items. This could be e.g. Steam.

Optional

Single-purpose accounts: Separate accounts, which don’t contain credit card info or other personal information.

Which method should you use?

The method you use for receiving your verification code should be balanced between safety and convenience. Here’s a short description of each.

  • Security key: Much like a real key, you store your key on a physical USB, which you need to carry around and insert into your device to verify it’s you.
  • Prompt: You will get a prompt on another device, where you are already logged in. This could e.g. be a pop-up on your iPhone or in the Gmail app.
  • Authenticator: A dedicated app will generate verification codes. The codes will expire after a certain amount of time.
  • Phone: You will receive an SMS with your verification code.
  • E-mail: You will receive an e-mail with your verification code.

You might then ask; Does two-factor authentication prevent hacking completely then? No, nothing will ever be 100% secure. A bulletproof door with several locks won’t prevent a bulldozer from tearing down the walls in your house either. If someone is really intent on getting in, they might. However, the potential gains for hackers are highest in companies as opposed to a single consumer like you and me. The more difficult you make it for a hacker to get in, the more likely it is he/she will give up. As such, while these methods vary in safety, picking either one will still reduce the risk of being hacked by a huge margin. The safety ranking is as follows:

  1. Security key
  2. Prompt
  3. Authenticator
  4. Phone
  5. E-mail

Choosing a method is up to you. On the one hand, the safer the better of course. On the other is the convenience of logging in. You will need to have access to your verification method, e.g. carry your phone with you and you will need to do the extra verification step to log in. Most platforms, however, support remembering a device as “trusted”, which means you will only need to do the second verification step once per device. Then there is also the risk of losing your verification method and locking yourself out. This applies particularly if you use a physical USB security key.

My first recommendation is to use an Authenticator app, which I find to be a nice middle ground between safety and convenience for the following reasons:

  • You can have the Authenticator app on multiple devices, e.g. both phone and tablet.
  • It is supported by most platforms.
  • It is safer than both e-mail and phone. If someone gets access to your e-mail, they are actually able to both reset your password AND receive your e-mail verification code.

My second recommendation is to use a USB security key, but only if you carry it around in a black leather briefcase with a PIN and wear a suit and black sunglasses. If you can’t pull that off, go with the Authenticator app …

2FA methods support

PlatformPromptE-mailPhoneAuthenticatorSecurity key
GoogleYesYesYesYesYes
AppleYesNoYesNoYes
MicrosoftNoYesYesYesYes
FacebookYesNoYesYesYes
AmazonNoNoYesYesNo
2FA methods supported by big tech companies

How to turn on 2FA?

Setting up 2FA depends on the platform, but in general, these are the steps:

microsoft authenticator

1. Get an Authenticator app

Download an Authenticator app to your phone or tablet. I recommend using Microsoft’s Authenticator. It supports most platforms and shows an expiration timer for your verification codes.
Download Microsoft Authenticator

auth method

2. Go to security settings

This step varies a bit depending on where you want to set up your Authenticator. Find security settings and look for either “Two-Factor Authentication” or “Two-Step Verification”. Choose either “App” or “Authenticator” as the sign-in method.

Here are links to the most important security settings:
Microsoft security settings
Google security settings
Facebook security settings
Amazon security settings
Apple security settings

qr code

3. Scan the QR code

In your Authenticator app, use the camera to scan the QR code on the settings page.

After you have done so, the Authenticator app will generate a setup code, which should be entered on the settings page.

And that’s it!

How do you prevent getting locked out yourself?

Added security is of course a double-edged sword that also risks locking you out if you lose your authentication method. These are my effective tips for preventing this:

  • When you get a new phone, migrate and set up your authenticator immediately. Check everything works before you erase your old phone.
  • Most platforms support backup codes. Generate and print these. They will act as a “spare key”.
  • Add a second verification method.
  • Keep passwords in one place with a password manager and stick with the Authenticator method, where possible, so you don’t confuse yourself as to which login method you should use.
  • Always use separate accounts for logging in. Don’t use e.g. Facebook or Google for third-party platforms.

And that’s easy Two-Factor Authentication for you!

Stay safe!

Leave a Reply

Your email address will not be published. Required fields are marked *