Back to Top

Why you should (and shouldn't) use 2-factor authentication

Oliver: Two-factor authentication, also known as 2FA, adds an extra level of security to your accounts. You can use 2FA to secure your email account, social media accounts, online banking account, and more. Two-factor authentication will help keep your accounts safe even if a hacker manages to get access to your user ID and password for a particular account. It's a very simple way of preventing data breaches, which have grown by an alarming 41% in the UK in 2017, for example.

2FA utilizes something that only you should know to complement the login data. It may be a master password, a pin code, an SMS code, a hardware dongle, the answer to a secret question, and so on. In fact, this is exactly how credit cards work! A person who steals your card will not be able to withdraw money from it, because it doesn't have its pin. So, in this case, your pin code is the second authentication factor.

Let's imagine that you want to access your online banking account. You visit the login page, and then you input your user name and password combination. Rather than logging you in, the site will send an SMS code to your mobile phone, and then ask you to input it in a dedicated website form.

If you input the wrong code, the website will deny access; otherwise, if the numerical code is okay, you will be allowed to access the website. This is the most used 2FA security mechanism, because it is cheap (SMSs can be sent and received for free) and easy to implement. Other companies such as Amazon, Microsoft and Google have created their own authenticator apps, which can generate random 2FA codes without relying on SMSs.

New codes are generated each and every time you access your accounts, so previously generated codes cannot be reused by hackers. These codes are often known as one-time passwords (OTP).

SMS-based two-factor authentication can be easily activated and used even by people who don't have a background in IT technologies, and will help keep your account secure even if the account is attacked using brute-force methods. If a wrong authentication code is input 2-3 times, the account will be locked down for several hours, thus making it impossible for cybercriminals to get access to it.

Often, 2FA will successfully prevent identity theft as well. It is estimated that millions of US citizens are victims of frauds each year. If a hacker gets access to one of your accounts, he may be able use it to ask password reset links for your other accounts, and then get access to them as well.

James: While I agree with Oliver's ideas, and I totally recommend people to make use of SMS-based 2FA whenever they don't have a stronger account security solution at their disposal, I wouldn't say that this is a risk-free method. Let's see why.

First of all, a hacker may be able to get access to the information that is stored on your phone by installing a piece of malware onto it. Often, cyber criminals will quickly find out your email address, and then send you an email which includes a link that will install the malware app on your smartphone.

Then, a hacker may use various social engineering techniques to get a copy of your sim card. He may call your phone company, pretending that you are the one that is calling, and ask them to mail him a new copy of your sim because your phone has been stolen, for example.

Don't forget that a hacker may also get access to your phone when you leave it unsupervised, and thus see the authentication code on its screen. So, be sure to protect the lock screen using your fingerprint, or at least use a long, complex password.

A skilled attacker may even intercept an SMS that is sent your way be spoofing one of the cell towers nearby.

As you can see, an SMS-based 2FA system isn't the best solution out there. Still, if you can't use a better security method, this one is much, much better than nothing.