Tech Made Simple

Hot Topics: Holiday Gift Ideas | How to Fix Bluetooth Pairing Problems | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

How to Protect Your Accounts with Two-Factor Authentication

by Natasha Stokes on March 08, 2023

Fact checked and updated on 3/8/2023 by Suzanne Kantra with new recommendations

Topping the list of the most popular passwords of 2022 are "password," "123456," "qwerty." These weak passwords are simple for hackers to crack, but even using strong passwords isn't enough. That's because hackers can still steal your password through clever phishing emails and texts, data breaches, and other vulnerabilities.

That's when two-factor authentication (2FA) can save the day. With 2FA enabled, your username and password are insufficient for hackers to access your account. Anyone trying to log in would need to provide an additional means of verifying your identity, like a one-time use PIN delivered via an app, text message, or email, a physical device that generates a passcode, or a biometric device.

Cybersecurity experts agree that enabling two-factor authentication is a crucial part of online hygiene that makes accounts more difficult to hack. In fact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) now cites the use of single-factor authentication on its list of bad practices.

However, not all two-factor methods are equally secure.

Basic two-factor authentication: code texts and emails

Once the bulwark of tech-savvy cybersecurity, text authentication has been increasingly exposed as vulnerable to scammers. One threat is hackers intercepting calls and text messages containing 2FA codes. The interception can happen at the network level or when your phone number is stolen in a SIM swap, resulting in all text messages routing to the hacker's device.

Phishing attacks are also more likely over text or email, where scammers trick users into handing over their logins through a link, email, or text designed to look like a legitimate service. While users log into the fake site, attackers capture their login and use it for the real site, triggering a genuine 2FA code to be sent to SMS or email – which the user inputs into the spoof site.

Good two-factor authentication: authenticator apps

Rather than receiving a message that can be intercepted, generating codes on a device that's with you largely keeps those codes out of hackers’ reach. That’s where authenticator apps come in.

These apps can be synced with various platforms in your accounts’ settings when you enable 2FA. We like Authy (Android/iOS/Mac/Windows) and Microsoft Authenticator (Android/iOS), which are all easy to use and set up. And, you can back up your account in case you lose your phone.

Whichever you pick, the apps work the same way – by generating six-digit codes that refresh every 30 seconds or so, reducing the likelihood of these codes being scraped and reused. And, authenticator apps generate codes regardless of whether you’re online, which is handy if you’re out of reception.

The only downside comes if you forget your device. Once 2FA is enabled, many accounts require a 2FA code to log in every time, and forgetting your phone means being locked out of these accounts.

Best two-factor authentication: authenticator keys

While authenticator apps are better than codes sent via text message or email, they aren’t totally invulnerable. Phishing attacks, for example, could potentially steal 2FA codes if users are lured to spoof sites to enter a code, and the attacker is able to capture and use the code before it’s refreshed. While an unlikely scenario for the average citizen, activists, politicians, or others whose communications are targeted may need tougher security.

In this case, it’s time to ramp up to an authenticator key, a physical device that plugs into a computer’s USB port, phone's power port, or communicates via NFC with a phone to authenticate logins. Apple just started supporting authenticator keys in iOS 16.3 (find out how to update your old iPhone) and Android phones can be used as authenticator keys when adding your Google account to a device for the first time.

You should always have two authenticator keys. The primary key is for everyday use and the second key is a backup so you won't be locked out of your accounts if you lose your primary key.

One of the most popular is Yubico's YubiKey 5 Series (starting at $50 on Yubico, check YubiKey 5 Series price on Amazon). Once registered, these thumb-size keys instantly work as a second factor for dozens of services. They can also be tapped against NFC-enabled smartphones (which includes all Android phones and iPhone 7 and higher) for authenticating logins on smartphones. YubiKeys need to be tapped before each authentication to verify the user isn't a remote hacker.

Yubico Yubikey 5 NFC with iPhone and MacBook on a white surface

An alternative is OnlyKey ($58.99 on OnlyKey.io, check OnlyKey price on Amazon), which comes with a password manager that stores up to 24 accounts in its offline storage. Plug it into a computer during a sign-in, and it automatically fills in the relevant login. This additionally protects passwords from keylogger malware that might be covertly installed on sites.

Whatever method you choose, turn on two-factor authentication

Experts agree that enabling 2FA on your online accounts is essential, whether through SMS, email, app, or a physical key. You may find some services only offer text second-factor authentication, but don’t let the potential for phishing put you off. 2FA doesn't remove any existing hurdles; it puts another one in place.

Whichever method you use, remember 2FA isn't a security silver bullet that can override a weak password or hold off an especially interested hacker. A hacker can still use social engineering to trick you into providing a 2FA code.

The good news, however, is that the crooks still need to entice you to a bogus website first. So don't rush logging in; be extra wary of emails, messages, or pop-ups that lead to external web pages. When entering your login and code online, always check the browser address bar to ensure it’s correct.

Finally, you have another great reason to use that other must-have security feature, a password manager: Not only will it generate and save your hard-to-crack logins, but in case of phishing, your password manager will alert you that the website you’re on isn’t the one you usually use, because it won’t contain a login for the scam site’s URL.

[Image credit: Yubico]

Natasha Stokes has been a technology writer for more than 7 years covering consumer tech issues, digital privacy and cybersecurity. As the features editor at TOP10VPN, she covered online censorship and surveillance that impact the lives of people around the world. Her work has also appeared on BBC Worldwide, CNN, Time and Travel+Leisure.


Topics

Privacy, Computers and Software, Computer Safety & Support, Phones and Mobile, Mobile Apps, Android Apps, iPhone/iPad Apps, Tips & How-Tos


Discussion loading

gravatar

From Julie Casselman on February 06, 2021 :: 8:38 am


I STARTED NOTICING LITTLE THINGS ABOUT A MONTH AHEAD AND THEY FINALLY SNEAKED IN WIPED MY BANK ACCOUNT OF $1200.00 THEY LEFT ME $10.22
PAY CLOSE ATTENTION THE SMALL INSTANCES!!!!

Reply

gravatar

From Truthfairydigs@gmail.com on June 30, 2024 :: 9:50 am


I’ve been hacked! Everyday they get more and more
I’ve tried changing banks I’ve turned off my cards. Now these are all compromised. Some things I can still do on the phone. However most times it says it’ll send my message when I get internet back on. Why would they be able to send me a text about having no wifi? Because it says on the icon indicators the internet is active and there are no problems.j7st can’t use things like messenger, email and whatnot. It controls what I say by signing me out of an app that I’m using to tell on them. They get right in there in a flash they have my page taken off and send me back to my home page..they have stolen every thing. I live on 953 a month, and between the 100 bank non sufficient funds fees, and at some businesses they also charge non sufficient funds fees, I am desperate, frightened and I need help. For free cause I haven’t got any money to buy help

Reply

gravatar

From Heather on February 13, 2023 :: 9:33 am


Hope u had a good day.

Reply

gravatar

From nitish Sagar on July 23, 2023 :: 5:47 am


My facebook account hacked Disabled
How I can get my account

Reply

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.