A reader wants to know how 2-factor authentication, or 2FA, works. ARTHUR GOLDSTUCK spells it out.
Q: Last week you advised people to use 2FA to protect their Facebook accounts. I don’t use Facebook. Do I still need it?
Two-factor authentication (2FA) is a security measure that works for almost any online account and gives you an extra layer of protection. Its name explains it: you have to provide two different pieces of information when you log in, namely the password that is registered and stored in your name for your account, and a second factor, which is not stored, like a one-time PIN or a fingerprint scan.
I asked Google bard to give me a simple analogy to explain 2FA, and it told me:
“Imagine that you are trying to enter a bank vault. To do so, you need two keys: one key to open the outer door and another key to open the inner door. If you only have one key, you cannot enter the vault.
“2FA is like having two keys to your online accounts. Your password is the first key, and the second factor is the second key. If an attacker steals your password, they will not be able to log into your account without the second factor.”
2FA is not one tool, nor a one-size-fits-all solution. Some 2FA is more secure, or at least more foolproof, than others. These are the main forms of 2FA:
* SMS-based 2FA: When you log in, a code is sent to your phone via SMS. You must then enter the code in addition to your password to log in.
* Authenticator app-based 2FA: Install an authenticator app, which generates a unique code every few minutes. That means someone who does not have access to your phone’s content cannot get that code. Typically, when you log in, you enter your password as well as the authenticator code. Google Authenticator is the most common on Android phones.
* Hardware token-based 2FA: A small hardware device you carry with you generates a unique code every time you press a button. It then works the same way as an authenticator, but it’s a pain to carry around.
If you enable 2FA on all your important accounts, there is a very low likelihood of any of these being hacked. But that does also depend on your overall security habits, like not sharing passwords, not clicking on suspicious links, and having strong passwords.