If you’re relying on your password to keep you safe then you’re leaving yourself exposed to major security issues.
Even if you take all the recommended precautions to ensure your passwords stay safe — and your password ISN’T “000000” like Kanye’s — passwords are still an imperfect form of protection. As hackers become increasingly innovative with phishing scams and password-breaking operations, more companies are giving users the option of two-factor — sometimes called multi-factor or two-step — authentication.
What is it?
Two-factor authentication, or 2FA, requires you to prove your identity using two of three possible identifying features. The widely accepted options for identification are as follows:
- Something you know – such as a password or the last name of your childhood best friend.
- Something you have – such as your phone or a hard or soft token. This factor will often involve a security code being sent to your mobile device or by approving a log in request on your phone.
- Something you are – such as your fingerprint, retina, or voice. Also called biometric authentication.
Why should I use two-factor authentication?
You should use 2FA when possible because hackers are incredibly good at what they do, and no matter how complex and unique your password (it’s NOT “000000,” right?!), there is always a chance that it could be guessed or obtained through an especially clever phishing scam.
Also, if you have ever in your life used the same password twice, you could fall victim to credential stuffing, which is when hackers use credentials stolen in data breaches to try to log into other accounts. The financial sector recorded 30 BILLION attempted credential stuffing login attempts this year, which means criminals are after your money rather than your Facebook DMs.
What about my privacy?
Privacy and security are often mistakenly conflated, and we often say we want privacy when we actually want security. In fact, these two concepts are often mutually exclusive. Privacy is, in part, the right to be left alone, and privacy violations occur when companies sell our data to advertisers or change our privacy settings without our knowledge so we’re sharing information with more people than we intended.
These are not security violations because we willingly gave our data to a company, trusting that the proper protections were in place. At their heart, privacy violations are a violation of trust. If I tell you a secret about myself, for instance that my password is “000000,” and you tell everyone at work so you can all laugh at me, you have violated my trust and my right to not have my information used out of context, even if I deserve it by having a really stupid password.
Security concerns come into play when criminals obtain personal data by fraudulent means. Unlike the examples above, data is not willingly given by an unscrupulous company, but rather it is stolen through some sort of scam or breach. The types of information that gets compromised in a security incident often differ from a privacy incident, too. Cyber criminals are after your passwords, social security number, credit card information, and other personal details that they can use to either take money from you or steal your identity.
In a security incident, you have broken into my house and found the paper where I wrote down my password (that’s “000000,” in case you didn’t remember). You then use that information to steal all my money and also steal my identity. Again, I probably deserved my fate by writing down my incredibly stupid password, but you have also stolen my information to use for fraudulent purposes, which is a security breach.
What does this have to do with 2FA?!
All this is to say that 2FA entails a trade-off between privacy and security. By giving companies more information about ourselves, such as phone numbers or biometric identifiers, we move closer to a world in which technology companies know everything about us. But while the amount of information tech companies have about us is concerning, the prospect of hackers stealing your data or life savings is probably not appealing either.
(I’m not saying you should do the thing, but you should probably do the thing.)
More generally, as we begin to rely more and more on biometrics, artificial intelligence, and other technologies that use information and insights about us to make us safer, the tradeoff we will have to make between privacy and security will become starker. After all, the more a system knows about us, the better it can detect intruders. If we are going to trust companies to keep our information both private and secure, more oversight into big technology companies will likely be needed.
Which services offer two-factor authentication?
Google is one of the most ardent proponents of 2FA, and major platforms like Facebook, Instagram, Twitter, LinkedIn, PayPal, and Amazon also provide two-factor authentication options. Two-factor authentication can normally be enabled through your account settings. For a comprehensive list of companies that enable 2FA by industry, visit Two Factor Auth.
Will two-factor authentication keep me safe forever?
Nothing will keep you safe forever, and this is no exception. Hackers are figuring out how to make 2FA work to their advantage by impersonating log in prompts under the pretext that there was suspicious activity in a user’s account.
There is also a fun new practice called SIM hijacking, where a hacker manages to transfer your phone number to another device and enjoys unrestrained access to your Facebook timeline and financial accounts.
Since there are more steps involved in 2FA, there’s also more room for technical malfunctions, which Microsoft found out recently when its multi-factor authentication prompts stopped reaching users.
Despite the risks of tech issues and hacks specially tailored to users who enable 2FA, the benefits far outweigh any possible risks or inconveniences. In addition to making your accounts harder to break into, they will become a less attractive target to hackers, who may move on to easier targets.
I am very busy – will enabling two-factor authentication inconvenience me?
2FA will take a few minutes to set up, and it may add time to your login process, but these small inconveniences are nothing compared to the inconvenience of having your accounts drained or identity stolen. There is always a trade-off between convenience and security, but in this case you should err on the side of security.