It’s one of the best ways to keep your accounts safe from cybercriminals. Now available across numerous services — including Apple’s operating systems, Google Drive, Windows 10, and popular social networks — 2FA is a simple and effective security solution.
What is two-factor authentication?
The process adds an extra security layer to your account, making it much harder for malicious actors to attack and steal your data. To access a profile protected with 2FA, you need two elements:
- Something you know (a password or pin code)
- Something you have (access to a specific device)
With 2FA, every time you want to log in to your account, you will first be asked to enter your password. Then, a one-time code will automatically be sent to your mobile phone; if you can prove that you’re also the device owner, you can log in.
Even if a cybercriminal acquires your password and tries to break into your account, they will need to have physical access to your phone as well.
How is 2FA different from 2SV?
If you already have two-step verification (2SV), is two-factor authentication necessary? The answer is yes.
Although 2SV also offers some additional layers of protection, it doesn’t necessarily require the “something you have” part. In order to access your account when 2SV is on, you can use either two USB security keys, two passwords, or a combination of a password and a security question.
The main difference between these two is pretty simple:
- If you use 2FA, the bad actor who wants to hack your account will have to pull off two types of theft: they will need to steal your physical device (“something you have”) and your password (“something you know”).
- If you rely on 2SV, the hacker will only need to commit one type of crime, multiple times. He just needs to steal your information — your password and the answer to your security question, for example. If he’s using spyware or extorting a data breach, he may already have both.
Although both of these security measures add an additional level of safety to your account and should be used wherever possible, 2FA offers more benefits. Needless to say – any form of protection is better than none.
How to enable 2FA
2FA on macOS and iOS
If you’re setting up 2FA on macOS, head to System Preferences in the Apple menu and select Apple ID. Go to Password & Security and click Turn On Two-Factor Authentication.
If you’re using macOS Mojave or an older operating system, you should go to System Preferences and click iCloud. Next, select Account Details, Security, and Turn On Two-Factor Authentication.
If you’re using an iPhone, iPad, or iPod, you should first go to Settings, and Password & Security. Alternatively, if you’re using an earlier version of the operating system — iOS 10.2 or older — head to Settings, iCloud, and Apple ID, and click Turn On Two-Factor Authentication.
Next, enter the number of the phone you want to use as your verifying device. Apple will then send you a code by text or call, depending on your preferences. Verify your number to complete the setup process for two-factor authentication.
2FA on Google
Confusingly, Google uses the term “2-Step Verification” when referring to their 2FA features, so in this case you’ll be setting up 2SV. Go to Sign-in and security. Enter your password and phone number to receive your verification code.
You can either stay with the default option and receive your security codes via text or voice messages, get the Google prompt to make your verifications quicker or use their Authenticator app.
With the Google prompt, you won’t need to type in verification codes each time you want to access your account. Instead, you will receive a notification asking if it’s really you trying to log in. Simply tap “Yes” and you’re in.
2FA on Windows 10
If you’re a Windows 10 user, the process for setting up 2FA is a simple one, and can be carried out online through your Microsoft account. As part of the authentication process, you can use an email, a phone number, or Microsoft’s dedicated Authenticator app.
Head to Microsoft’s Security Basics page and log into your Microsoft account. Then click More security options and Set up two-step verification, and follow the prompts to complete the set-up process.
Here’s why you shouldn’t use texts for 2FA
The major problem with two-factor authentication is that it typically relies on text messages, which apparently can be easily hijacked. Although such vulnerability of text messages has been known and discussed for a long time, security experts at Positive Technologies have recently shown what it actually looks like.
The video below (first published by Forbes) demonstrates how researchers managed to intercept text messages and use 2FA to get access to a user’s Gmail account. From there it took them a few moments to reset the password from Coinbase and take control of a bitcoin wallet. Apparently, your name, surname and phone number is all hackers need to break two-factor security if you use to claim your identity via SMS.
While you may blame Coinbase for not putting enough effort to secure their services, the actual weakness lies in the phone system itself. Using their own research tool, researchers were able to exploit known flaws in the Signaling System No. 7 (SS7) that is used by nearly every telecom in the world to manage calls and text messages. “This is a vulnerability in mobile networks, which ultimately means it is an issue for everyone, especially services relying on the mobile network to send security codes,” said Dmitry Kurbatov who is a researcher at Positive Technologies.
While telecom companies are restricted from accessing users’ communications traveling through this network, hijacking services are pretty popular on criminal marketplaces. However, there’s no need for hackers to spend money on hijacking services as they can breach the network directly: “It’s much easier and cheaper to get direct access to the SS7 interconnection network and then craft specific SS7 messages, instead of trying to find a ready-to-use SS7 hijack service.”
As you can see, it’s pretty easy for cyber-criminals to attack the phone network and intercept your communications. If a hacker manages to breach the network, they can use 2FA codes sent to you via text messages and log in to any account he needs. According to Dmitry Kurbatov, “this hack would work for any resource – real currency or virtual currency – that uses SMS for password recovery.”
If not SMS, then what?
Even hijackable, text-based 2FA is better than no digital protection. However, if you care about your data security, you may want to consider choosing an alternative authentication method, such as Google’s Authenticator app.
Experts also suggest getting a separate phone number for digital services through, for example, Google Voice. For secure 2FA, you can also use security keys or download the Google Prompt that doesn’t rely on the vulnerable SMS protocol.
Another important step privacy-concerned users should take is to demand that all account services provide non-SMS-based 2FA options to help their customers securely log in to their accounts without the fear of being hacked.
Take security to the next level
Now might be a good time to go through all your accounts (Amazon, Dropbox, Facebook, PayPal, etc) and add that extra layer of security.
The majority of popular services provide either two 2FA or 2SV to their customers and there are also a number of specialized apps, such as Authy or Duo Mobile, designed for the same purpose. If you’re not sure whether a specific website offers 2FA or 2SV, you can quickly check it here.
If you want to take your security to the next level, you can also use a virtual private network (VPN) to enhance online safety. NordVPN wraps your data in layers of next-generation encryption, making it harder for criminals to access your passwords and sensitive data. Take control of your data today with 2FA and NordVPN.
Want to read more like this?
Get the latest news and tips from NordVPN