Lately, it seems that each new week brings a fresh revelation about a website security breach and an urgent call to change your password on said site, as well as any other site where you used the same password (admit it, you do this). Most recently, a serious flaw was discovered in the ubiquitous OpenSSL cryptography software—aka Heartbleed. And even though there was no evidence that the flaw had been exploited, Heartbleed sent the Internet into a (justifiable) conniption, with millions of people scrambling to change account passwords for countless vulnerable Web services.
The cavalcade of site hacks (real or potential) isn’t likely to abate anytime soon, but there is something you can do to protect yourself and your small business. Setting up two-factor authentication (or 2FA for short)—on websites that support it—gives your online accounts an added layer of security. Note: you might find that some websites use different terms such as "two-step verification." Don’t fret, it's the same thing.
Ready to learn more? We'll explain 2FA, how it can protect you, and where to find it on some of the most popular websites.
Understanding Two-Factor Authentication
Since the dawn of the commercial Internet you’ve been urged to learn how to create strong passwords. Doing so minimizes the chance of hackers discovering your password through guesswork. But when bad guys compromise a website’s security defenses, they don’t have to guess your password—they can see it. And at that point it doesn’t matter whether the password was Joe2014 or 255 characters long with a mix of numbers, punctuation, and cuneiform.
Simply put, 2FA throws up an extra roadblock to account access should someone get their hands on your password, regardless of whether they’ve guessed it or stolen it from the site itself. As the name indicates, 2FA introduces a second method of proving that you are who you say you are.
The first is your password (something you know). A second can be something you have, such as a piece of hardware. This is how most websites and services implement 2FA, leveraging the fact that just about everyone nowadays walks around with a mobile phone. Yet another authentication factor can be something you are, such as your fingerprint, voice, or face but, practically speaking, we’re still some distance from using personal characteristics to log into Web services.
Depending on how a particular site has implemented it, 2FA is typically handled one of two ways. Either the site sends a numeric code (usually four to six digits) to your phone via SMS text message, or the code is generated by an authenticator app running on your phone (such as Google Authenticator, which is free for Android, iOS and—that most-ancient of mobile devices—the BlackBerry). A site that supports 2FA will prompt for the numeric code after you supply your password; enter the code and you’re in—otherwise, no access.
The benefit of the SMS method is that it can be used on any mobile phone, not just smartphones, and the authenticator app method works even if your phone isn’t connected to the Internet. In either case, the code you get has a shelf life; it expires after a few hours, and you can use it only once.
So what’s the catch? Well, more security always means less convenience, and logging onto sites with 2FA does take a tiny bit more time and effort, but only the first time you log in from a particular computer or device because you can register those you own to eliminate subsequent code challenges.
The other wrinkle comes up when you’re accessing a particular service via a third-party service or piece of software. For example, if you enable 2FA on your Google account and access your Gmail using, say, Microsoft Outlook or the iOS mail app, they won’t work anymore (since Outlook and the iOS mail app have no way to challenge you for the numeric code). For these kinds of situations, services can provide you with new passwords specific to each app, which allow them to work within the 2FA framework.