Yes, turning on multi-factor authentication (aka 2FA) is really important

When you work within an industry like IT security, you can sometimes get blindsided. Perhaps you feel untouchable by the bad stuff out there, simply because you know it exists, and you know how to secure against it.

Here’s a good example: many who are knowledgeable about IT security KNOW that multi-factor authentication (2FA) is a vital security measure, yet many haven’t turned it on for the majority of their apps (not that all apps offer 2FA, and you should reconsider the value of an app if it doesn’t offer you this additional protection).

Only a few months ago, the press was ablaze with bigwigs like Mark Zuckerberg and having their accounts snatched by an unauthorised infiltrator. Having two-step verification (2SV), let alone 2FA, would helped to mitigate this problem.

Now, we don’t argue that it is painful to set up 2FA individually for every account, but it is one of today’s most recommended methods to prevent account hijacking. So, let’s dive in.

What is 2FA and how is it different from 2SV?

When we sign into an account, you enter credentials to prove you are allowed to access the information within the account.

The best way to explain 2FA is probably using Security Expert Neil Rubenking’s wording:

“There are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.”

Note that 2FA is different from two-step verification (2SV). The former requires entries from two different authentication factors. The latter does require two steps of authentication, but from the same authentication factor.

In other words, 2SV is not as inherently safe as 2FA, but 2SV is better much safer than simply relying on just a password as your safeguard your accounts.

Why you need 2FA?

The concept is simple: it is harder to break into two or more authentication factors than it is a single authentication factor.

An example of 2FA would be that you require both a passcode (something you know) and a swipe of a physical card (something you have) to gain access.

So 2FA is a good idea. Even bodies like the PCI Standards Council and the National Institute of Standards and Technology (NIST) both advocate the use of multi-factor authentication, provided it is implemented correctly.

So, how should I implement 2FA?

The National Institute of Standards and Technology (NIST) has recently denounced the use of SMS-based digital authentication because the security level relies on how the phone is configured.

If a user has text messages configured to display on the locked screen, anyone with access to the phone can grab the second authentication factor. Granted, access to the one of the connected devices is required, but the security issue here is worrying enough for NIST to denounce its use.

So what are the options now? There are a number of authentication services you can choose from. Some of these are specific to a vendor, such as Google or Microsoft. Others are independent and can be used for multiple applications from different vendors.

Here is our shortlist:

Where you should turn on 2FA?

This is one of those rare situations where more is better. We are talking social media accounts, Google, DropBox, retail apps, financial apps like PayPal, etc I mean, just check out this list of popular apps to see whether 2FA is available.

Basically, You really want to try and lock down as many apps as possible with 2FA. And yes, we know it is painful, but trust us, it is worth it.

And if you want some step-by-step instructions on how to go about turning on 2FA, we’ve provided some links below for you:

Previous ArticleSocial engineering series: the psychological norms exploited by fraudsters Next ArticleOffensive Security Unbound: introducing Red Team Service