We are all used to logging in to our accounts with a username and password. Whether it’s to access your computer, your email, or your local library website. Usernames and passwords have served us well. Nowadays though, there are more and more additional steps or actions that we are being asked to take to safely conduct our business online. 2-factor authentication, also known as 2 step verification, is one of the main methods that is promoted to help add additional security to our logins.
How to use 2-factor authentication when logging in
Lets quickly have a step by step look at how 2 factor authentication looks on a day to day basis when you are using it.
You visit the site you are trying to access
You input your username in one field on the site
You input your password in another field on the site and press enter
You are now asked for the 2FA pin. At this point you will go to the authenticator app where a verification code for that site will be shown. This pin changes every 60 seconds or so.
You input this code on the site and you are allowed in.
Steps 4 and 5 are new and may just seem like you now have to have 2 passwords instead of 1. However, there are a few key differences, that make the steps for 2 factor authentication fundamentally different and much more secure than just a second password. How we set up 2FA will give us some clues about the differences
How to set up 2-Factor authentication
Let’s have a step by step look at how 2FA is set up and how it compares to passwords.
In order to use 2-Factor authentication you first need an authenticator app on your phone. Google offers an Authenticator app that is trusted and compatible with many online services.
- Download Google Authenticator app on your phone
- Visit the site on which you wish to set up 2FA. You will need to log in via the standard username and password as you haven’t set up 2FA yet.
- In the section where the 2FA is set up, the site will provide a setup code. This code is usually provided in 2 forms, a QR code like the one below and a corresponding setup key code that can be copied or typed. It is important to save this code somewhere safe and ideally offline in case your device is lost or damaged.
- Open the Google authenticator app on your phone and tap the + button to add a new 2FA account
- If you visited the site on another device, you can simply scan the QR code to add the account or if you visited the site on the same device, you can copy the setup key code provided and paste/type that into authenticator to set up the 2FA account.
- You should now see the changing code in google authenticator and have successfully set up 2 step verification on your account ready to use.
Why is 2 step verification more secure
Previously, when using just your password, the security of your account relied on only you knowing your password. Unfortunately, nowadays hackers and other bad actors have numerous ways of knowing your password. These range from simply guessing them, by trying millions of passwords, to having unauthorised access to unsecure sites where you may have input your password. There are hundreds of other methods that your password can be compromised.
Once a hacker has your password, they can log in to your account and do whatever they want. In order to combat this, users are encouraged to change their password frequently, add special characters, not use familiar words etc. While these are still recommended, it is difficult to remember and if a hacker has managed to get your password while its valid, they can still access your account.
The main reason 2 step verification is more secure is now, in order to log in, you need your password, which is something you know, AND you need your phone, which is something you have. And because the verification code changes every minute, you can’t just remember it and will need your phone each time.
When you use 2 step verification, even if a hacker has your password, they will not have your phone to generate the code for the second verification step.
There are a few other ways to implement 2 factor verification with various levels of security. For example
Using a hardware fob. Instead of a code generated on your phone, you are sent a physical fob which generates the verification code. This is the most secure method as the fob is not on a phone that could be compromised and is never connected to the internet
Using a software app. Nowadays the most common method of setting up 2FA. This uses an app like google authenticator to generate the verification code. It strikes a good balance of security and convenience.
Having a verification code sent to you via SMS. A big step up in terms of security compared to just using username and password however if you are specifically targeted, hackers can try to clone your sim to get access to your SMS messages when they attack your account.
2-factor authentication is a simple and easy way to add a significantly increased level of security to your accounts. We would definitely recommend you set it up for all your accounts where possible. 2FA can be set up with most exchanges as well as most email providers.