Multi-Factor, 2-Step, 2-Factor Authentication;

Multi-factor Authentication (MFA), also called 2-step or 2-factor authentication, is one of the most important steps you can take regarding your accounts.  If you aren’t familiar with MFA, it is a way of authenticating yourself (“logging in”) with more than just a password.  Authentication, or logging in, can be done in 3 ways, with something you know (password), something you have (phone or token) and/or something you are (biometrics such as a fingerprint).  MFA involves using at least 2 of these 3 methods such as something you know, a password, and something you have, an SMS Text message from your phone.  While MFA isn’t guaranteed protection for your accounts, enabling it does offer strong additional protection and can stop an account from being taken over (also referred to as “hacked” or “compromised”). 

How does this help me?  Say someone has gotten a hold of your password and attempts to log in to your email account.  If you have MFA enabled, your email provider will send a code to your phone via a text message that must be entered before the password will work.  A random text message saying here’s your code, would alert you that there is a problem (such as someone trying to log in to your email account).  If a hacker was trying to log into random email accounts and they were presented with a message saying please enter the code sent to your cell phone, they would skip your account and go to the next one.  This means you would have stopped a hacker from getting access to your email account simply due to having MFA enabled.  Why is this the case?  Well, a hacker would need to know the password for your email account and they would also need access to your cell phone or would need to clone your cell phone.  That takes a lot more effort, so random email hacks can usually be prevented with MFA.  MFA may not stop targeted attacks, but random people are not often targeted in this manner.  Targeted attacks are usually performed on senior managers (VP’s) in companies, journalists, famous people, politicians, etc.  Unless it is someone close to them, law enforcement with a reason or a stalker, normal people are not usually specifically targeted to the point where their password and MFA method will be compromised. 

You may have read/heard that SMS text messages isn’t a secure form of MFA or it isn’t the best MFA option.  While it may not be “bullet proof”, having SMS text messaging as a MFA option is better than nothing at all.  There are no “silver bullets” when it comes to security and almost anything is “hackable”, so making things more difficult is one of the ways you can increase your security.  Think about having an alarm system on your home.  An alarm system wouldn’t stop anyone from breaking into your home if they were specifically targeting you or your family, but casual thieves would skip your home and move to the next one that didn’t have an alarm system due to the next home being easier and less of a risk.  So, SMS text messages as an MFA means hackers going after easy targets would be foiled and move to the next victim.  As we stated above, a hacker would need to know your password and have access or control over your cell phone or phone number (clone your phone).  This takes multiple steps and would only be used if you were specifically targeted.  You may be asking yourself, “Has someone ever had this happen to them?”  “Is this possible to clone someone’s cell phone?”  Unfortunately, the answer is yes.  It is possible and has happened.  However, as we stated in the previous paragraph these types of attacks don’t usually happen to random people or “everyday users”.  Complicated/targeted attacks are usually performed on someone specific such as a senior manager in a company, journalist, someone famous, etc.  So SMS text messaging as a form of MFA is definitely better than nothing and in some instances, may be the only form of MFA offered from the service you are using.

What can I do?  You should enable MFA on every one of your important/critical accounts such as financial (bank, taxes, retirement, etc.), email, shopping, medical, etc.  In most cases, there should be options in the security section of your account settings to enable a MFA option.  It may also be called 2-step or 2-factor authentication.  In a lot of cases, it should be in or near the section where you change your password.  If you are unable to locate MFA options, perform a search on the internet for something such as “2-step authentication gmail” (replacing gmail with the name of the account you are searching for) to see if you can find a link to instructions on their website.  Make sure to follow safe searching practices to ensure the link you see in your search results is going to a reputable website.  You can click on the “searching the internet” and “virustotal” tags above to read our posts related to safe searching. 

  • If you are a Google Gmail user, here is a quick guide on how to implement 2-step verification:
  • Go to “My Account” by clicking your picture or the icon in the top right-hand corner of your browser
  • Click “Sign-in and security”
  • Go to “2-Step Verification” (Note: you will be asked to enter your password again)
  • Google Gmail has several options to enable 2-step verification (MFA)

Continuing with the Google Gmail example, any of the MFA options listed are better than nothing.  There are options to enable text messages, set-up a second phone, and a one-button option where a message is sent to your Android phone (iPhone may also have this option).  We would say SMS text messages, or the one-button method on Android, along with a second phone number is the bare minimums and very simple to use.  The second phone number would be used to gain access to your email in the event your phone was lost or stolen.  This means the second phone number needs to be able to receive text messages and should be used by someone you fully trust.  We would also recommend enabling and printing backup codes.  The printed backup codes would be used when traveling out of the country if you aren’t able to receive text messages.  Your cell phone provider will be able to tell you if you can receive text messages while traveling.  If you aren’t able to receive text messages while traveling outside of your home country, make sure to print the backup codes and have them with you.  We would suggest removing any mentions of your email address/account name or the website address the codes go to in case they are lost or stolen.

Please Note:  Remember to store the printed codes in a safe/secure place.  If you want to save a soft copy, you could put them in a password protected zip file such as 7-Zip or a password protected Microsoft Office document.  We would store the soft copy, password protected file in a removable drive (thumb drive, external hard drive, etc.) not connected to your computer and would recommend not storing the file on your PC.

Depending on your “annoyance factor” as discussed in “Finding the Balance”, here are a couple of advanced options to consider if you want to increase security further.  The “Authenticator app” and/or “Security Key” are great options.  The “Authenticator app” will require you to have a mobile device (cell phone or tablet) with some form of authenticator app installed (such as Authy, Google Authenticator, LastPass Authenticator, Microsoft Authenticator, etc.).  This is pretty easy, but there are some caveats to remember, which we will discuss shortly.  The “Security Key” will require you to have a physical device (such as a USB device) with you when you log onto on a new machine.  Basically any additional option past just knowing a password (SMS text messages, thumb drives, tokens, authenticator app, etc.) is added security and arguably a requirement.

Please Note:  Authenticator apps are often free as well, so it won’t cost anything to be more secure than SMS text messages.  One thing to remember when using authenticator apps is you need to store the codes somewhere safe to make sure there is a way to recover the code in case your phone is lost, stolen, or you buy a new one.  If you have a tablet and a phone, it’s probably best to enroll both devices.  This would help if one of those devices were lost, stolen, or sold.  You could use the 2nd device to log in to the account to enroll new devices.  Yubico YubiKeys, or similar devices, are another great option for MFA if accounts support them.

It is important to understand, enabling MFA will make it a little more inconvenient for you to log in.  In some instances, MFA may only be required when you log in from a new device (computer, tablet or phone) for the first time.  However, some MFA options may be required each time you log in. 

Bonus How does this impact me?  The reward for enabling MFA is well worth the minor inconvenience.  Taking a few seconds to look at an SMS text message or click on an app is far better than losing control of your email or bank account.  The importance of your bank account is self-explanatory, but think about how much personal information is stored in your email.  Have you ever sent documents to a lender to buy a home?  Have you ever received tax paperwork from your CPA?  In both instances, the paperwork you would have sent/received definitely contained sensitive personal information making it easy for someone to steal your identity.  One of the other major concerns with losing control of your email is requesting password resets.  If someone has control of your email account, they can see what type of services you use based on emails received.  If your bank, retirement provider, etc. has ever sent you an email, a hacker would now know you use those accounts.  Not only would they know who your bank is, most of the time the login/usernames for these accounts is your email address…which the hacker would know if they hacked your email account.  The hacker could go to your bank’s website, enter in your email address and request a password reset.  Chances are if they have gained control of your email, they could possibly answer the security question(s) asked and then the new password would be emailed to your email account…which the hacker could read and use to log in to your bank account or retirement account.