Two-Factor Authentication
Two-factor authentication (2FA) has been around for a while, but has become much more important in the last few years. The reason it gets combined with passwords is this: passwords are something you know and 2FA is something you have (it can also be something you are if using biometrics for 2FA purposes). The typical methods you see are TOTP (time based one time password) apps like Authy and SMS texts.
Passwords are no longer sufficient by themselves, unless the account provider doesn't provide a 2FA option. You could do everything right for security protocols, but if the account provider gets breached and your password is part of that, the attacker will be able to access your account. Usually passwords are salted and hashed (meaning they have to be "cracked" and are not usable right away), which is why companies will advise people to reset them if an attacker was detected in the company network. There are also other ways 2FA protects you, such as someone watching you input your password IRL. If they try to login later, 2FA will stop them.
There are a few different ways you can use 2FA, depending on what level of security you want and what the account provider offers - these include biometrics (fingerprint, face recognition), hardware tokens (Yubikey), SMS, email, TOTP authenticator apps, and push notifications sent your device (usually a phone). A good trade off between security and convenience is a TOTP app. SMS should be avoided whenever possible, though some sites will have it as the only option.
2FA Explained
Overview of 2FA methods:
SMS: This is a weak option for 2FA because of the possibility of a SIM swap attack. If an attacker is good enough with social engineering and determined, they could get your number assigned to one of their devices, which would allow them to take over accounts with SMS verification. Phone providers have security measures such as PINs to protect against this, though I would not advise relying on this.
Email: This option isn't much better from a security perspective than SMS. If your email has 2FA in order to login, it's slightly better, but your email account could be compromised by a session stealer. This is one of the most common types of malware and if you have to deal with it, you don't want all your accounts tied to email 2FA.
TOTP: One of the best options for a balance between security and convenience. There are plenty of providers to choose from (which I'll cover later). The codes are usually 6 digits and refresh every 30 seconds. These codes can be phished/social engineered from you (e.g. an attacker over the phone convinces you to give the code), so be aware of this aspect.
Push notifications: When you try to login to an account, you might get a prompt on a phone or tablet asking if you just tried to sign in. You can allow or disallow from that notification. You won't usually have this as an option.
Biometrics: Facial recognition and fingerprints are two of the most common methods, and are usually standard on modern phones. If you select either of these, make sure to increase the security checks needed to pass them. For example, when setting up facial recognition for a phone, be sure to go to settings and turn on things such as requiring you to look directly at the device with both eyes open.
Hardware tokens: Yubikey is one of the most common choices you'll see for this method. It's considered one of the best options for high security and for anything critical, such as IT employees. Cost and convenience are the downsides of this. You'll always want to make sure you have a backup device in case you lose or damage your main key.
Risks:
Lost Access: This is one of the most common issues people deal with when using 2FA. There's a saying in the military community - "If you have two you have one, if you have one, you have none." If available, you should have your 2FA provider installed on at least two devices and you should always have the seeds backed up in case they're needed. If you have 2FA tied to email or phone, it's doubly important to be diligent about not losing access. Some account providers will give you backup codes to use to login in case you lose your 2FA access. ==Always back up these codes to somewhere safe where you can access them if needed.==
Phishing and codes stolen in real time: 2FA codes should only be accessible by you and not by other people and they should never be given out to "support staff." Real support will never ask you for a 2FA code - if you're ever asked to provide one by support, you're talking to a scammer. The other risk to be aware of is the issue of fake emails, especially since this is a common way to lose access to your accounts. You can get what looks to be a real email saying there is some kind of problem with your account and you need to click a link in the email to login and fix the problem. One you enter your login details into this fake webpage, an attacker is sitting on the other end in real time putting your login details for the real site. You then lose access to your account within minutes and you might never get it back.
Interception: If you're going to use 2FA apps on a device, you should be certain you don't have malware currently or ever in the future. Authy used to provide a desktop app a while back but stopped developing - one reason being the security issues of a desktop 2FA app. Malware can steal your codes on compromised devices. I personally don't recommend using desktop apps for this reason. As for phones, check the mobile security section for more details about hardening. At minimum, vet all apps you have installed on your phone and be sure the OS is kept up to date.
Push notifications: If you're a frequent user of these, there's a tendency many people have to click allow without carefully reviewing the request. Even if you are expecting a notification, you should always review it to make sure it's accurate.
Compromised methods: If you're going to use security questions, email, or SMS as 2FA methods, secure these as best as you can. Email accounts should never use weak passwords and 2FA should be set up to login to them. Phones should have a PIN set up for SIM transfers if your carrier allows for it. Security questions are a huge risk for everyone because of common data leaks. It's a sign that an account provider doesn't take security seriously, because good IT personnel knew years ago these were a poor method to secure accounts. If you have to use security questions, providing "fake answers" is a better plan, as long as you can reference these answers from somewhere later on if needed for account recovery.
Hardware tokens: If you decide to get something like a Yubikey, be sure to have a backup or two. If this gets lost without a backup, like any other lost 2FA method, you'll go through a lot of trouble trying to fix the mess. A backup device should only be known to you, and preferably, somewhere only you have access to.
Biometrics: Proper setup is required for this method to be good. For example, you should always require you to be paying attention (i.e. looking at the phone) for it to unlock. If you use this on a mobile device, you can also set some apps to require facial recognition or fingerprints to unlock. This is an extra safeguard against someone who might have found a way to access your device.
Misconfiguration: If you have multiple apps, phone numbers, or emails, you want to make sure you pay attention to setting up 2FA. Always verify the method used being used for 2FA. Some account providers will also require multiple methods (e.g. SMS and TOTP) in case you lose access to one of them. If you retire a device, be sure that someone can't pull the codes off of it.
Switching to a different provider: If you use SMS for 2FA, make sure your number gets ported to the new device or cell provider you're going to use. In some cases this won't be an option and you'll have to pick a new number. If this is the case, make sure you disable SMS 2FA on your accounts before the number is deactivated so you can reactivate with your new number.
If you use a 2FA app, you may need to turn off 2FA and reenable with the new app. In some cases, you might be able to import the seeds from your previous app, but some providers don't support this (e.g. Authy). If you have Authy currently and want to use a different app, make sure to turn off 2FA on all accounts before you get rid of Authy.
If you use any other methods (e.g. email) and want to switch, always be sure you don't remove the existing method of getting your codes until you get updated to the new provider.
User behavior: If you're new to using 2FA, it may take some time to adjust to using it on a frequent basis. Some people will be annoyed at the extra step to login to an account and may be tempted to turn it off. 2FA is one of the simplest and most effective ways to secure accounts from takeover and I would never recommend not using it if the option is available. The risk of account takeovers has gone up drastically in the past few years, so the security benefit is well worth taking an extra 10 seconds to enter a code.