For the past few years, my dad has been encouraging me to turn on two-factor authentication (2FA) on any service that offers it. Having grown up in the social media age, I felt his requests were unwarranted.
I know social media inside and out (and I have a master’s degree to prove it). I have always taken care not to share personal information online that I wouldn’t share in person, and I regularly update my security settings across all my accounts on the internet. So what was the big deal with turning on two-factor authentication?
The big deal is that no matter how secure my passwords are or how well I keep my profiles private, there is always a risk of someone accessing my personal information.
Data breaches happen all the time
Unfortunately, we continue to find this out the hard way. Between July 2017 and September 2018, attackers accessed personal data of more than 30 million Facebook users. Alphabet decided to shut down Google+ after the company discovered that a bug in one its APIs gave third-party apps access to private profile fields for more than two years. Uber even went as far as paying a ransom when hackers exposed the names, phone numbers, and email addresses of 57 million users in 2016.
Frighteningly, these aren’t the only multibillion dollar companies to experience data breaches this decade—British Airways, Equifax, FedEx, T-Mobile, Under Armour, and Yahoo are also on the list. These companies have financial access to the top cybersecurity experts in the world (at least in theory), and not even they can protect your data.
This isn’t meant to scare you away from the internet. The World Wide Web stores a great wealth of information and is an even better tool for global connectedness. However, that connectivity extends to the unsavory people you don’t want in your network.
How do you keep those people out and your personal data secure?
Ultimately, the answer isn’t that easy, but you can start by enabling two-factor authentication on any service that offers it. (Yes, Dad, I’m finally listening.)
While two-factor authentication doesn’t eliminate security vulnerabilities, it will help keep your personal information more secure. It adds an additional layer of security to make sure someone trying to access an online account is who they say they are.
So, what is two-factor authentication?
To answer this question, let’s first examine what a factor means in security. A factor is one of three things: something you know (like a password), something you have (like a cell phone), or something you are (like a fingerprint). Two-factor simply means two of those factors are required to gain entry into whatever you are trying to access.
- Password + security question? Single factor. You know both of these things.
- PIN + password? Still single. Again, you know both of these things.
- Password + phone? Two factors. You know your password and you have your phone.
- Personal Identity Verification (PIV) card + PIN? Two factors. You have your PIV and you know your pin.
- Fingerprint scanner + PIN? Two factors.
- Password + phone + fingerprint scanner? That’s multi-factor authentication (MFA). You know your password, you have your phone, and you are your fingerprint.
One of the most common forms of two-factor authentication is the use of a password and your phone. For example, once you successfully enter your username and password, you are then prompted to verify you are who you say you are by entering some other piece of private information only available on your phone. This might be a code sent via text message or a frequently changing string of numbers on an authenticator app.
I spent a lot of time ignoring my dad’s suggestion to enable two-factor authentication, primarily because of the inconvenience it would cause me to set it up and to log into my accounts. But those inconveniences provide additional barriers for the bad guys as well.
More and more companies are allowing users to enable two-factor authentication. There is a nifty site, twofactorauth.org, that keeps an updated list of all the services offering two-factor authentication. I spent the better part of two hours turning on two-factor authentication on Facebook, Google, Twitter, Amazon, Slack, Venmo, and more, and I recommend you take the time to do the same.