With the endless cycle of news about breaches and hacked accounts, many people start to wonder how they can better protect their digital life. One of the best ways to safeguard important online accounts is through two-factor authentication (2FA). Also called 2-step verification or login approval, two-factor authentication works by not only requiring a username and password to login to an account, but also another “factor”, which is typically a code generated by an app, a code sent over SMS, or through the use of a hardware-based verification method. This helps secure accounts, because even if a username and password are exposed during a breach, an attacker can’t login to the account without that extra step.
A number of organizations and universities have moved towards making the use of 2FA mandatory, including Bowling Green State University. The director of IT security at BGSU had an informative interview with Brian Krebs about 2FA at the popular Krebs on Security blog, outlining several recent incidents which caused the university to speed up the implementation time for requiring it on all university accounts.
Despite the benefits of 2FA for security, many people still have not enabled it for their accounts. Reasons for this range from simply not knowing it’s an option, to usability issues with various 2FA platforms. The team at Duo, a company which focuses on authentication methods at scale, ran some informal calculations and estimated that adoption of the two-step verification process on Google products was only around 6.5% of all users.
Interested in how to protect your accounts? There are several resources available to assist those who are new to 2FA, and want to learn more about how to implement it. The first is TwoFactorAuth, a very handy website which has database of popular websites and the forms of 2FA they use (or don’t use, in many cases). Simply type in the name of the website, or search by website type, to see whether you can enable 2FA on your account. For a great basic overview of 2FA, check out this article written by the team at the Electronic Frontier Foundation.