You may have heard how important it is to have a strong password. However, passwords can still be stolen or an attacker can scam you into giving them your password. To guard against this threat, many websites now offer multi-factor authentication. While different sites may refer to this feature differently, such as two-step login or two-factor sign-in or even login approvals, it has the same goal: to keep you safer online.
In general, when logging into an online account you can authenticate yourself in one of three ways:
- Using something you know (a password)
- Using something you are (a biometric, such as a fingerprint)
- Using something you have ( a one-time code generated for you on your cell or a token)
In the early days of computing, you would authenticate with only one “factor” – a password. However, authenticating only with passwords has many pitfalls, which a determined attacker can exploit.
First, after a data breach, common passwords can be easily guessed. While most businesses store passwords in an encrypted form, if these passwords are not stored properly an attacker can decrypt your password. Worse, if you use the same password on multiple sites, an attacker can then use that decrypted password to log into those other sites. Finally, passwords can be phished – even if your login data is not breached by a hacker, someone can trick you into revealing your password by pretending to be the site you’d normally type into it.
When you use multi-factor authentication, you usually supplement something you know (your password) along with something you have (a one time code) each time you log-in. Research done at Palo Alto Research Center by DeCristofaro et al. has shown that most people use tokens, text message codes, or a dedicated smartphone application as their second factor. By using two-factor, an attacker cannot log into your account, even if she steals your password, unless they also have access to the second factor.
Regardless of what two-step technology you use, it should be noted that when you first setup two-factor, you will be given a set of “backup codes” – codes that can be used in the event you cannot access your two factor codes. If you lose access to whatever technology is generating your two step codes, such as your cell phone or token, you could find yourself locked out of all your important accounts such as your email, online banking, and social media. Or if you’re traveling internationally, you may not be able to receive text message codes. So make sure to record your one-time codes and store them in a safe place.
To summarize, turn on multi-factor authentication on all your accounts. Your email needs multi-factor because it can be used to reset all your other passwords. You need multi-factor authentication on your social media accounts, since people may want to impersonate you to scam your friends. And finally, you need multi-factor on your financial websites such as banks and retirement accounts, because even though you are usually not liable for fraud if you report it, dealing with a data breach can still be very stressful and time consuming.