When it comes to protecting your accounts and devices, having more than one way to prove you’re you makes for stronger protection than just protecting your account with one flimsy password. This is why security experts now recommend multifactor authentication, sometimes known as two-factor authentication, 2FA, or MFA. An ever-growing number of sites and services offer you the opportunity to use MFA. If you’ve had your bank send you a text message to confirm it’s actually you trying to log in, that’s MFA.
The reasoning behind MFA is that it’s pretty easy for an attacker to get your password alone. Huge lists of re-used passwords float around on the dark web (and even the not-so-dark web). Attackers try these over and over until they’re into an account. The advantage of having another form of proof, like access to your phone, is that it’s much less likely that J. Random Attacker online is going to have access to your phone at the same time they’re randomly spamming sites with a huge list of logins.
Do searches for “set up MFA” and “set up 2FA” followed by the name of the service you want to give this extra protection to, the follow the instructions. For example, here’s how to do it for Microsoft, Google, and your Apple ID. For a longer list, see twofactorauth.org.
I highly recommend setting up MFA for all financial accounts, as well as the main email account you use to recover your other accounts.
Texting you to confirm you’re trying to log in
Calling you to confirm you’re trying to log in
Using an authenticator app that generates a quickly-changing special number code known only to your phone and the site
Plugging in a USB key
Out of these, an authenticator app is probably the strongest form of protection. You’re likely to have your phone with you, and if you’re protecting your phone well (for example, keeping it password locked) it’s not that easy for someone to get access to the app. Here’s where to find:
Authy, which works across a number of devices
Or, if you don’t trust corporations like Google and want to use an app that promises transparent code, there’s FreeOTP for iOS and Android.
There have, unfortunately, been instances where high-profile (famous, at-risk, or wealthy) people have had their phone spoofed, and the attacker got access to the code being sent by phone or text. And unfortunately, some services still only use text or email for additional authentication. However, these attacks were pretty targeted at individual people the attacker really wanted to hit—they weren’t random smash-and-grab attacks, like a lot of internet attacks are.
Provided you’re not someone who has a high likelihood of being a target, and you’re using a strong, random, unique password and storing it in an encrypted locker, using a phone call or text message/SMS for MFA is probably still safer than not using any MFA.
Probably the biggest risk with a USB MFA key is you’ll lose it. These things are small! This might be a candidate for attaching to something you won’t lose, like your keychain; I think there have been some creative attempts to turn them into jewelry as well. (Just don’t mess with the metal part you’re supposed to touch to authenticate.)
Popular options for USB MFA keys are the Yubikey and the somewhat more complicated OnlyKey. Note: get these from well-known vendors. Don’t get a knock-off version.
For more steps you can take to protect your digital security and privacy, check out that section of this website and pick up a copy of Keep Calm and Log On!