Why you should use 2FA

Good security is easier to have than you might think

You’ve probably heard of two-factor authentication (2FA for short) and that it’s super important to use whenever possible. If you watched this year’s WWDC presentation, you may have even seen Apple’s mention passwordless “PassKey” 2FA. If you were worried this was something only Apple was rolling out, it’s actually part of a joint effort between Apple, Google, Microsoft, and the FIDO alliance laid out a month before WWDC. Don’t worry—good security won't be a platform exclusive any time soon. You just have to take advantage of it, and here's why.

2 Images

What is 2FA?

Much like the name implies, two-factor authentication adds a second way to verify you’re actually you while logging in. This can look a little different depending on what version you go with, but it will always rely on something that only you should have access to. A two-factor login could involve something like a cryptographically generated key, a one-time password sent to your phone, or a physical piece of hardware you plug in, just to name a few examples.

Why is 2FA so important?

Several times per year, news of a security breach at a popular site or a retailer breaks, and the first suggestion in that "we're so sorry email" is always to change your password. More often than not, this news comes months after the breach, meaning that your login data has just been sitting there exposed for who knows how long.

This is bad news for that site, to be sure, but it also means that if you have any other accounts with the same email/password combination (hint: this is a bad idea), anyone who has access to your compromised data can log in on uncompromised sites.

One of the best ways to defend against this is to have 2FA turned on for as many sites and applications as possible. Even if someone has your password, they can't log in without your two-factor code. Many sites even have several 2FA options available, so that begs the question – Which kind of 2FA is the best, and more importantly, which ones should you avoid whenever possible?

What versions of 2FA are available?

Physical 2FA is pretty much the king of login security, but it’s also the least commonly supported variety. The most common type of physical 2FA devices are USB or NFC dongles that act almost like a keyboard and enter a specific code when prompted. While we’d love to say you should just buy a Yubikey and be done with it, not every site or app supports physical 2FA, so you still need to find a different for those services. Most big players do support Physical 2FA keys, for instance Google and Twitter.

App-based 2FA like Authy and the Google Authenticator apps are also great options. These both work similarly to how a physical 2FA key works, except that you’re inputting the passkey yourself. In most setups, your 2FA keys are stored on a single device for maximum security, but Authy lets you sync those tokens across devices. Some services also have their own authenticator apps, like Steam Guard.

2 Images

If the goal of 2FA is to prove that you’re actually you, biometric 2FA is a great option. Using things like fingerprint sensors, Windows Hello, or FaceID, it’s possible to breeze past logins by tying your account to your physical characteristics. Having your device log you in by verifying that you are who you say you are in this way is a bit similar to using physical 2FA; only your body is acting as the 2FA device with your login codes stored on the device you’re logging into.

Source: Apple

Email 2FA lets you secure your login behind a one-time password (OTP) sent to your email. While this can be compromised if your account is unsecured, if your email is locked behind a physical 2FA method, it’s safe to say that no one is gaining access to it unless they have physical access to your devices.

SMS 2FA is another OTP system like email, and definitely better than nothing, but for sure not an end-stage solution. A phone number in your possession might seem like a secure way to get 2FA codes, but it’s vulnerable to social engineering attacks and SIM swaps from unscrupulous carrier employees. This doesn’t mean that every account behind SMS 2FA is as good as compromised; it just means that a determined enough assailant could get access to your SMS 2FA. Imperfect as it is, if it’s the only option you have, it’s better than not using it.

While it’s a good security practice to use a password manager with unique passwords for every site and app, that won’t keep security vulnerabilities with those sites from compromising your account. The best way to minimize that risk is not just to enable 2FA whenever possible, but to use the most secure version of it that you can. Even an imperfect 2FA method is better than none, though.