Tip 2: Turn on two-factor authentication (2FA)

On Boxing Day here in the UK (26th December for anyone who doesn’t celebrate it) the NCSC (that’s the National Cyber Security Centre) blogged about staying smart with your Christmas gadgets.  This included 5 tips which are always true for gadgets and our tech-filled lives, so I thought I’d go through them.

Turn on two-factor authentication (2FA)

Two-factor authentication (2FA), sometimes called multi-factor authentication (MFA) scares people a bit.  And it’s a bit of a hassle, I get that, I use it everywhere and I’m always pulling out my phone to get another one-time password (OTP), it’s a burden, I get it.  The point is that it’s supposed to be a burden.  You’re burdening the hacker far more than you’re burdening yourself though, as they can’t pull out your phone (hopefully!).

The key thing is that it needs to be a different “factor”.  The factors are…

  1. Something you know (eg. password or pin number)
  2. Something you have (eg. mobile or credit card)
  3. Something you are (eg. fingerprint or face recognition)

So if a website has both a password and security questions, then this is multi-step authentication, but it is not multi-factor authentication, because a password and security questions are both things that you know.

If a website offers it, go with an authentication app that produces one time passwords (OTP).  There are a number of different authenticator apps that you can get these days (links are to Android, sorry iPeople)…

And these are just a few, there are loads out there on the respective app stores.  You just need one, pick a name you trust, or play with a few to see which feels right, but largely they’re the same.

What I would say though, and this is important, make sure whichever one you choose automatically backs up to somewhere.  This means that if you need to change your phone, you can easily restore all the accounts without having to try and unlock and setup each one again.

Now, on all your accounts that offer it (and there’s there’s a pretty comprehensive list here), enable 2FA.  This will present you with a QR code that you scan in the app, and it will start generating a new OTP (one time password) every 30 seconds.  Usually you need to enter one back into the website in order to confirm that it’s worked correctly.

At this point they’ll often give you one or more unlock codes as well.  These are a fallback in case you can’t generate a OTP for any reason (eg. lost or broken your phone) so keep them safe.  But also make sure you keep them secure, because they will grant anyone who has them access to your account, as long as they’ve got your password as well (or can guess it).

Now whenever you log in, after entering your username and password you’ll be asked to enter the OTP.  This means that even if someone does manage to get your password, via Credential Stuffing, Shoulder Surfing, or any other method, they’ll also need to have access to your phone in order to generate the OTP.  This will keep your accounts significantly safer than a password alone, and it’s totally worth the hassle.

If the website does not offer the authentication app option but does offer SMS, do it!  There have been a lot of reports, especially in America, of sim-jacking and other methods for taking over a mobile phone in order to get the SMS messages, but this is really a very targeted attack.  And forcing the hacker to jump through these extra hoops is better than not getting them to jump through the extra hoops, even if the hacker can make it through them.  Don’t make it easy for them, in fact, make it as hard as you possibly can.