Two-Factor Authentication or also known as Two-Step Verification, 2FA or Multi-Factor Authentication (MFA) offers an additional layer of protections for your accounts on top of a knowledge factor like a password. It requires you to provide an additional method of authentication to access your account or perform a specific action.
Most people know SMS-based 2FA where the page or app you login to sends a code via text-message that has to be entered after providing a correct username and password.
Different types of 2FA
SMS-based 2FA
This method is the most common way accounts are being protected by 2FA. In this case a code is sent via SMS to the phone number that has been previously registered to the account. Said code is only valid for one login and a limited amount of time.
Advantages:
- Relatively simple to use – high level of familiarity
- Most people have a device that can receive SMS
Disadvantages:
- Various security issues like it being phishable and SMS being at risk of attackers intercepting them
- Tied to phone number – people changing phone numbers are at risk of getting locket out
Authenticator Apps (Code based)
Instead of delivering the code via SMS, some authenticator applications like Google Authenticator, Authy, etc. contain an algorithm that generates timebased one-time-passwords that can be used as a 2nd factor.
Advantages:
- Don’t require a device with a SIM card
- Same app can be used for many accounts
- Easy to use – free apps available
- No code that can be intercepted when being delivered to the user
Disadvantages:
- Can be phished by attacker
- People have to backup a recovery code to avoid losing access when using a new device
Push-Based Authenticator apps
Some applications like Microsoft Authenticator, Okta, etc. use a push-notification that is being sent to the users phone. The user then has the option to either approve the login-attempt or note that it wasn’t them that tried to login.
Advantages:
- Push notifications often provide additional like the location of the login-attempt
- The user doesn’t have to type anything
Disadvantages:
- Attackers often cause large numbers of notifications hoping that the victim will push the wrong button or think that they need to approve the long in order for the notifications to stop.
Hardware Security Keys (FIDO Security Keys)
Hardware Keys from vendors like Yubico, Google, and Feitian are considered to be the gold standard of 2FA. They are hardware components that often look like usb-sticks that contain cryptographically signed keys to authenticate the user.
Advantages:
- The only method that is truly resistent to phishing attacks
- Easy to use
Disadvantages:
- A Security Key can cost $20-30 or more – depending on the model
- People are concerned of losing the keys
- Not all services support them yet
Here are useful links that lead you to easy to follow step-by-step instructions on how to enable 2FA for the most popular e-mail providers. If your e-mail provider is not listed, try searching for it on google: <email provider name> two factor authentication.
Gmail account: How to enable Two-Factor Authentication (Google Helpcenter)
If you have a business account (Google Workspace) you can use these instructions on how to protect your organisation with 2FA.
Microsoft
How to enable Two-Factor Authentication (Microsoft Helpcenter)