Two Factor? How many factors?

If you’ve been around the internet at all, one of the first things you have to do is to choose a password. It doesn’t matter what it’s for; you’ve been asked to choose a password. Then another, then another.

Pretty soon, you start to repeat them… yea, I know you do. Everyone does; it’s really hard! How do you remember so many passwords?

In another blog soon (I promise, if it’s been a while, harass me on all the socials – you’ll find all the links on my contact page.), I’ll talk all about password managers.

Today, we’re gonna introduce the idea 2FA. You might have seen this wee collection of letters and numbers before. Or heard the phrase two-factor authentication. I’m just going to talk you through the basics and assure you that it’s not as difficult as you might think, and it really does up your security game a lot.

EDIT: Some people have noted on socials that I should call it MFA or Multi-factor Authentication. Yep, that’s also a thing. I’m trying to simplify it for the non-techy, so I’m introducing the ‘second’ factor, which is why I’m using the phrase 2FA or two-factor authentication

Basically, it’s a way to prove you are who you say you are, using two different forms of ID. Kinda like when you need to bring your passport and birth certificate to open a bank account. The idea is that someone might be able to steal one form of ID, but the likelihood of them stealing two, it’s a bit harder yea?

In everyday internet 2FA, what this generally means is that you have an app on your phone that gives you a number that keeps changing. Like all those scenes in action movies where the protagonist has seconds to enter a code into a bomb to stop it from going off. (there are a couple of other ways too, check below)

I use an app called Authy, it looks like this.

Blue screenshot of an Authy screen. There is an icon of a key, underneath there is a 6 digit number and a sentence that says it will Change in 19 seconds

They basically all look and do the same thing. When you’ve set it up correctly, whatever you are logging into will ask you for your username and password, and then it will ask you for your 2FA token. In this particular case, for this particular account, I would enter the digits 375 660, and then I will log in to whatever I’m trying to log into.

some options

  • Using an App
    • Twilio’s Authy (screenshot as above!)
    • Google Authenticator – you can read more on Google’s support site here. Including links on where to get it
    • Microsoft Authenticator – you can check it out on Microsoft’s site here.
    • There are many many others… some password managers (again, the blog is coming soon!) even have some that they prefer to work with, but that is not needed

If you’re choosing to use an app, the most important feature to look for is how to back up the codes. When you enable the 2FA on your account, it normally gives you a huge long list of codes that you can use. Don’t share these, and don’t save them somewhere you can easily get to. (so don’t email them to yourself!) In fact, some people actually print it off and use a binder. That is ok, except slightly inaccessible if you’re away from your desk.

  • SMS or text messaging – There are definite cons to this one. It is one of the most common, by default, because most people don’t have to set anything up for it to work; just enter your mobile number. I don’t use this one very much because it doesn’t work if you are overseas (or not very well) or somewhere with crappy reception, and hey, we all like going off the grid sometimes, huh?

This is a not-so-good way to do 2FA, and also, ironically, a way that a LOT of major institutions (looking at you banks!) insist on it being the way that you can ONLY do 2FA. This is because they don’t have to teach their clients anything, nothing to download, just what is your number, and we’ll text you.

  • A piece of hardware you carry around – like Yubico’s Yubikey. Basically, instead of having to put a code in, you plug the Yubikey into your device and use your finger to touch it.

This is one of the most secure ways to do it, but of course, you must buy the hardware AND remember to have it on you at all times. For those of us that have keys on us all the time, it’s a case of clipping it to that.

How do I set it up?

Netsafe did a great round-up of all the main things (like banks and socials that you might use) on their site here. Including this cute image to sum all this up.

Infographic "borrowed" from Netsafe. It shows 4 green squares. the topleft has a pair of hands typing on a computer and it says Sign in to Continue. the top right square has a big button thta says Sign In, the bottom left asks for a code and the bottom right says Welcome

I would strongly suggest using a good password on your important things, like your bank and your social media accounts. Then switch on 2FA. Get a geek friend to help you set it up, get them to show you how to enter the code in.

The worst thing is to get hacked, and yea, it happens to everyone. This just makes it one step harder!