Two-factor authentication is a name for any login or entry system which requires two different methods of identifying yourself. It’s one of the most recommended security features for online accounts, and for good reason.
What options do I have for two-factor authentication?
Many online services now offer two-factor authentication (2FA) as standard, and there are plenty of different methods to choose from. The most popular method is by using an authenticator app to generate codes.
Using this method, once you’ve set up your app of choice (the most popular being Google Authenticator or Authy), you’ll be asked to enter an authentication code after filling in your password. These codes are based on the time, with an algorithm determining their outcome.
Both the website you’re logging into and the authenticator app know what the algorithm is, so they'll be able to determine if you’ve entered the correct code. This means this method will also work even if your mobile device is offline.
For older phones, most services also offer an option to text a verification code to a phone when a login attempt is made.
Another increasingly widespread option is the use of biometrics, such as fingerprint scanning. Modern smartphones often come equipped with a fingerprint scanner, so requiring a recognised print to be used when logging into a service can reduce unauthorised logins.
Physical keys such as Yubikey are another option for the security-conscious. They look like a USB stick, and are plugged into the device being used to log in as a form of authorisation.
When to use two-factor authentication
The short answer: as much as you possibly can! Think of it like this – if you walk into your house and lock the door behind you, why not use the chain, too? It doesn’t take much extra effort, and if somebody manages to pick your lock, they’d still not be able to enter your house.
This is the benefit of two-factor authentication. Setting it up is straightforward – just scan a QR code with your authenticator app, and the service will be added. Then, each time you log in, you just enter the code. You can also set it up so ‘trusted devices’ such as your private home computer won’t ask for a code every time.
Is two-factor authentication secure?
2FA relies on you having access to the device you’ve set it up on. It’s an extra layer of security on top of your primary login method – in most cases, a password. It’s the most sure-fire way of preventing access to your accounts in the case that someone gets hold of your password.
Another benefit of two-factor authentication is its convenience. While there could be a foolproof method to prevent unauthorised account access, it’s no use if it’s such a hassle that nobody decides to use it. As most people are likely to have a mobile device on hand when they need to log in to something, it’s no extra effort to enter the 2FA code.
With an authenticator app, the only way an unauthorised user can get into your account is if they have access to the device and the app itself. As the generated codes are time-based, it wouldn’t be enough for them to have a screenshot of the code – they’d need to see the app within the same minute of the password being entered.
Can two-factor authentication be compromised?
If there’s no malware on your device, it’s unlikely that a hacker will be able to get access to your two-factor authentication codes using traditional hacking methods.
However, the most common way attackers get access to a two-factor authentication method is through social engineering. When the two-factor authentication method involves sending a text to the user’s mobile phone, hackers have been known to call up the user’s phone company and have their mobile number transferred to their own account. This then allows them to receive the texts containing the authorisation code to their own phone.
It’s unlikely to happen, but you can prevent this by asking your mobile phone provider to require a spoken password from you to make changes to your contract.
Another common way that attackers can get hold of authentication codes is by contacting the user directly. A phone scam on the rise involves a caller posing as an organisation such as a bank, and feigning ‘security questions’ to gain the trust of the user.
As a final ‘verification technique’, the hacker will ask the user to read the code that was just sent to their phone. At the same time, they will initiate the login process to one of their accounts, triggering the 2FA code to be sent – which the victim might then read out to the attacker.
It pays to be vigilant about incoming calls from unknown locations, and if you’re in doubt about who’s calling you, it’s usually best to hang up and call the organisation they’re claiming to be back.
Is two-factor authentication all I need?
Two-factor authentication works best as part of a whole. You shouldn’t disregard the security of your password just because you have two-factor authentication in place – while the chain can prevent your house being broken into, it’s less effective if the hacker finds the key under your doormat. Your password should still follow all the recommended guidelines.
The mobile device you use as your primary 2FA device should also be properly secured, with a passcode and/or the biometric methods available on many of the latest mobile phones. That way, if your mobile phone goes missing or is stolen, it’ll be more difficult for someone else to use your two-factor authentication methods.
We suggest setting up two-factor authentication wherever you can – including for your Fasthosts Control Panel. You can now use an authenticator app to add an extra layer of protection to your account, adding to our already strong security measures. Prevent unauthorised logins and keep your projects even safer.
See our help article for more information and to find out how to enable 2FA for your Fasthosts account.