Before diving into the importance of two-factor authentication and why you must use it, it’s important to set the scene.
Over the years, we have witnessed a massive increase in the number of websites suffering the consequences of a hack. It seems to be more and more common that we see news about companies losing their users’ personal data as a result of cybercrime.
Sometimes it’s because of carelessness, like using the same password in multiple websites (seriously, don’t do that!). It could be because of their ancient security system not being able to keep up with the highly sophisticated attacks. It could be because you have left yourself logged-in on public computers.
But even if you think you have everything set-up, nobody is immune to attacks, and there is a good chance your site could be in the firing line at some point by the hackers.
Does that sound scary enough?
There are different ways you can protect yourself online, but one crucial and incredibly simple way is to use two-factor authentication.
What is Two-Factor Authentication & How Does it Work
Two-factor authentication (also known as 2FA or 2-step verification (by Google) – it’s a type of multi-factor authentication), is a simple but highly effective way to add an extra layer of security to your online account. It is designed to protect your accounts from hackers as you will require a unique time-limited 6-digit code via your mobile phone to log in.
If you don’t have a mobile, there are other ways, but it is generally the easiest and most convenient way to make use of 2FA.
Why Two-Factor Authentication is Important for Your Online Security
There are many reasons why you should use 2FA:
1. A password is not enough
Did you know that 1.4 billion plain-text passwords were leaked and found circulating online? Most of them are stupidly simple for hackers:
As someone who advocates using a password manager, it’s obvious that strong and unique passwords are crucial, but having 2FA is another simple and powerful way to up your security even further.
And if for some reason your password has been leaked to the wrong crowd, nobody will be able to access it without the 6-digit verification code from your phone.
2. “Security Fatigue” from having too many accounts
For those who don’t bother using a password manager but still want to create complex passwords, eventually, you will give up trying.
There are so many unique passwords you are forced to think of, but your brain can only handle a limited number of random strings of complex and unique passwords for every single account.
So you will most likely revert to using your old passwords again because it gets too tiring and, heck, it’s easier that way.
3. The human brain is not capable of memorising complex passwords
It is no surprise that the human brain is a terrible password manager.
It is not only impossible for your brain to create genuinely random strings of characters and then memorise them, but as security expert Troy Hunt has said:
“The only secure password is the one you can’t remember”
So you are better off not bothering to try to create and memorise your passwords…
How to Implement Two-Factor Authentication
It is actually very simple to start using 2FA as part of your everyday routine, but it depends on the website that you are using.
If you go to the settings of your online account, where you can activate 2FA, it will ask you to scan the QR code with the authenticator app of your choice. Once you have done that, it will ask you to submit the 6-digit code on your phone.
And that’s it.
In the future when you want to log in, you will need your usual login details and the authenticator app for the code.
If you happen to have lost your phone, or you don’t have access to it, most websites will create backup codes that you can screenshot or printout.
Just make sure that these backup codes are somewhere safe and secure.
2. WordPress Plugins
If you have a WordPress site, it’s very easy to implement 2FA. If you are using popular security plugins like iThemes and Wordfence, they will have a feature where you can activate 2FA, and you can set it up in a similar to that described above.
Some providers may require you to subscribe and pay for a monthly/annual package to gain access. Personally, I think it’s ridiculous as 2FA should be free and be a standard feature for all websites, so if that happens, you can use a plugin instead.
The website you are on uses a WordPress plugin called “Two-Factor”, which allows you to implement 2FA with ease, it is open source and it is created by trusted developers.
Some websites do not require you to download any apps but will simply send you text messages with the code to log in.
Twitter and Instagram give you that option as well as using the mobile security apps mentioned above.
The only annoying thing is that you will then need to delete those messages eventually and, if you are like me, mark them as unread because it’s bad for my OCD.
And there are stories popping up that it’s not the most secure method either and hackers could gain access by intercepting the text message.
High street banks will have their own version of authentication. Most of them will provide you with one of those little keypads to allow you to access your online bank account or even to carry out basic actions like transferring money.
Since the introduction of the card reader, bank fraud has been reduced as it is much more difficult for hackers to penetrate your account.
And some banks even have automated voice messages instead of a card reader for the same reason.
Either way, they all have the same purpose.
There are also other physical devices which can act as a “security token” like a USB stick, a key fob or even an ID card in some cases.
To some extent, you can also argue that face/voice recognition, fingerprint, DNA and retina scans also another type of 2FA, and it looks like they are becoming more popular in the latest mobile devices.
Where Should I Implement 2-Factor Authentication?
This is easy to answer: everywhere.
If you have started with one (and you should by the time you have finished this post), then you should look at every single online account you have and activate 2FA.
Trust me – you’ll thank yourself in the long-run.
Just don’t do something crazy like writing them down in a dedicated password book…even if you are using 2FA.
— Ahmed Khalifa (@IamAhmedKhalifa) April 4, 2017
Important Disclosure About Online Security
Here’s the thing though: 2-factor authentication will not make you hack-proof. In fact, it’s impossible for anyone and any site to be hack-proof.
You could have the fanciest, most expensive and strongest online security practices in place right now. But if you click a dodgy looking “phishing” link from a random email or you have left yourself logged in somewhere, then you will be in a very vulnerable position.
The best thing you can do is to limit the likelihood of that happening by protecting yourself online and follow the best practices.
Like implementing 2FA.
The idea of using 2FA is not that new. It is actually becoming a standard feature for many websites and it should be standard practice for you too.
You can search on this website to find a list of websites that are using 2FA, and those that are not. It will give you an opportunity to contact them to ask why they are not using it!
As an advocate for protecting yourself online, it doesn’t bother me if I have to spend an extra 5 seconds logging in to an online account by typing a code into my phone.
Yep, that’s all it takes…5 seconds.
As I always say, it is impossible to be 100% hack-proof.
But you can limit the likelihood of that happening by using simple online security best practices.
Which leads me on to my question to you: is it really that big a deal if you have to spend an extra few seconds to log in or access an account? Especially if it’s to avoid the possibility of being hacked and all the stress that comes with it?
Let me know in the comments below.
Latest posts by Ahmed Khalifa (see all)
- ‘Atomic Habit’ – Book Review on How to Create Good Habits & Remove Bad Habits - 5th October 2019
- Why is My WordPress Site So Slow & How Can I Fix it? - 1st October 2019
- How to Critique Your Own WordPress Website Effectively Without Being Biased - 27th August 2019