A Short Case for 2FA
October is National Cybersecurity Awareness Month, a time for all of us to consider our security risks on the internet. As our lives become increasingly digital, the importance of strong security practices compounds. The easiest, simplest, and cheapest step most people can make to improve their internet security is to enable two-factor authentication for their most important accounts (email, bank, shopping, etc.).
Your internet security depends on how well you can uniquely identify yourself to a computer. You need methods of distinguishing yourself from anyone attempting to impersonate you on the internet. Identification methods fall into roughly three broad classes:
(1) Something ONLY you know (e.g. passwords, security questions)
(2) Something ONLY you have (e.g. cell phone, car keys)
(3) Something ONLY you are (e.g. biometrics, Face ID, fingerprints)
I don't trust passwords alone for certain accounts. I think I make strong passwords, but I am guilty of reusing them. This wouldn't be a problem unless a company has a data breach and exposes my credentials.... which unfortunately seems to happen all of the time. Avast offers a tool to view whether or not your accounts have been compromised and see if your password has been exposed, either as a hash or plain text. Personally, I"ve had really good passwords spoiled by Chegg, Ticketmaster, and several other "reputable" companies.
To be fair, each class of identification has potential vulnerabilities. Someone could guess your password, steal your car keys, or lift your fingerprints. However, outside of Hollywood, it's very hard for the same person to do all three, or even two of the three. Thus, by combining multiple classes of identification, two-factor authentication (2FA) severely impedes anyone trying to hack into your accounts. Last year, Google reported that two-factor authentication stopped 100% of automated bot, that attempt to defeat your login credentials using lists of stolen passwords. When a bot cracks your password, but fails to pass the second authentication method, it effectively notifies you exactly when you need to change your passwords.
Simply requesting an SMS text to verify your identity blocked the most common types of attacks, but I'd highly recommend taking the extra step to get a specialized authentication app like Duo, Authy, or Google Authenticator. Once you've downloaded the app and created an account, the user experience is even simpler than SMS-text-verification. Using an app on your device is also more secure than a method that's tied to your phone number. Phone numbers were never meant to be private identifiers only you knew. They were designed to be shared with people, anyone who might want to text or call you. The SMS protocols are vulnerable to hackers who can configure a device to imitate your phone number. If you lose your phone, 2FA becomes a bit of a nuisance whether it's conducted through an app or SMS, but at least the app authenticators come with emergency backup codes.
Two-factor authentication apps are free, widely compatible with online logins, and only mildly inconvenient compared to regular login credentials, but the added security for your critical accounts is priceless. I'd argue they're the best, easiest way to level up your personal cybersecurity. If you're already using 2FA, look into password managers or adding biometric authentication for the ultimate trifecta. Then, invite me to read your essay on cybersecurity because you're doing better than me!