Welcome back to the third part of our series on securing your social media and online accounts! This week, we’re going to look at how you can improve your security by using more than just passwords on online accounts. The great thing about passwords is that if you’ve been following our guides, you’ve got passwords that are easy for you (or your computer) to remember yet very hard for anybody else to guess. However, when computers are so powerful they can test millions of passwords every second, it is very quickly putting the security of any password under strain. A new type of security has emerged however, and it is called “two-factor authentication”. This relies on both something you know such as a password, and something you have such as your smartphone. You will enter your username and password, and then be asked for a code from your phone which it either randomly made or was texted to you. Only once you enter that will you be allowed access. The security is fantastic – assuming that there aren’t any weaknesses in the software running on their websites, a computer could test every possible password yet still not get into an account. And if an unauthorised party takes your phone, they still need to have your password.
How does it work?
Every website that uses 2FA (short for two-factor authentication) will have slight variations on how their version works. However, most follow this basic pattern:
- Register your account with them
- Download an app onto your phone (one app works for most websites)
- Go onto your account settings. There will be an option to set up 2FA. Go through the process. You will be asked to enter a code or scan a QR code on your phone. Your phone will then give back a code, enter that into the website to confirm it
- When you next logon to the website, you’ll be asked for a code from the app in addition to the username and password before you can login
As you can see it is simple. However, some websites will instead text you a code rather than use an app. Most websites use an app called Google Authenticator (https://support.google.com/accounts/answer/1066447?hl=en) but if you are on another platform you may have to find an alternative app. Some websites also use other apps – they will tell you how to get them.
What websites can I use this on?
Good question! As the list changes all the time, you should check this website (https://twofactorauth.org). This website will also tell you how to enable it for each service that supports it.
What websites should I use this on?
As many as you can be bothered to is the honest answer! However, start with the services which are most crucial and work backwards. That may mean online banking for you (contact your bank to see what they offer). Then right after, securing your email to prevent anyone from accessing all your other services as discussed earlier. If you have a Google, Microsoft or Apple account these may have lots of sensitive information saved (such as payment details) in addition to your email – they may even allow a hacker to remotely lock and wipe your devices. These accounts should definitely be a priority if you use them a lot. In general though, think about which accounts would be the worst to get hacked and start with them.
What if I lose my phone?
When you sign up for 2FA, most sites offer you a recovery key which YOU SHOULD KEEP SAFE!!! If you lose that, you may NEVER be able to get access to your account again if you lose your phone. This does depend on the service you use, but do ask them or research to see what would happen. You do get services that back up your authentication codes, such as Authy (https://www.authy.com), and can share them between devices. This does decrease security, but increases convenience and for many may be a good compromise. However, do your own research for this!
Are there any other problems?
If you lose your phone you may never be able to login to something again. If your phone is out of charge or not on you, you may also not be able to login at that time. It will also make your day to day online life ever so slightly more inconvenient. It is up to you to decide if those are worth the very big improvements in security. As we store more and more of our important data online and those wanting to break into online services get ever more sophisticated, this may be something you want to consider using more and more.