How Multi Factor Authentication Works

Passwords Aren’t Enough! Secure Your Online Accounts Now.

How does Multi-factor verification help to protect your online accounts from hackers, scammers and prying eyes and how do you go about setting it up?

Why are passwords weak on their own?

The main weakness of passwords is that they’re a single layer of protection for your accounts.

Passwords on their own can be ridiculously easy to bypass for a determined hacker.

An all to common and sophisticated method hackers use is to conduct a phishing scam where the hacker sends you an email that looks like a legitimate email for one of your accounts and asks you to click a link and sign in. They design a fake page to look like the account you’re trying to sign into, but as you make an attempt to sign in, you unwittingly gave your password to the hacker.

Another method could just be that person wanting to hack you could simply be looking over your shoulder as you’re typing a password. Not as uncommon as you might think – disgruntled co-workers, people working in coffee shops etc.

Of course, if you have a rubbish password, then there’s no excuses…

Most people’s passwords

Security experts recommend we make our passwords as long as possible (9 characters or more), adding in capital letters, numbers and special characters to make our passwords stronger. Most people however, do use simple-to-remember words or phrases with some extra punctuation or flourishes in there to make them harder to guess, but unfortunately this is still leaving yourself open to being hacked.

It’s a given that you need to make your passwords strong, but in the real world we all need to remember those passwords for our day to day accounts and unfortunately not everyone is using a Password Manager yet.

As we’ve mentioned, there are lots of creative and nefarious ways a hacker or scammer can do to get hold of your password, so without two-step verification, once someone has your password, they can easily get into your accounts and cause all sorts of personal, reputational or financial damage.

Worse still, if you’ve used the same password for other online services (don’t do this!), then it really doesn’t take a determined hacker much work to log into to all of your other accounts to find out more about you, which websites you use, who your friends are, etc etc. Easy identity theft 101.


So what is two-step verification and how does it work?

Two step verification is essentially adding a second layer of security on top of your password to protect your accounts.

In order to sign in to your account the website not only asks you for something you know (your username and password), but also asks for something you have, such as your mobile phone to send a text code to.

After entering your username & password, and before letting you into your account, the website or service in question would then ask you for a code before it will let you in.

The thought behind this is that IF your password has been compromised, then the hacker, wherever they are in the world, still can’t access your account because they would also need the extra code to enter your account.

For further security, verification codes are time limited – they expire after a short period and can only be used once however you can always ask for another code if you didnt enter the first one in time.

How you would log in to an online account with two-factor authentication enabled

  1. Enter your username & password
  2. The website detects the login attempt so requests you to verify yourself.
  3. You verify your identity with a separate code or a physical key, then you’re in.

Simple.

Two-step verification makes sure that anyone trying to log into your account requires verification from a device or code that only you, the user, should have access to.

Types of two-step verification

SMS Text message

The simplest way to enable two factor authentication is via your mobile phone.

Within your online account settings, you will need to provide your mobile phone number.

As you try to log in to your account, you will be sent a code via SMS to log into your account.

Every time you want to get into your account, you get a new code sent to your phone. Most verification codes expire in a matter of minutes, providing that extra level of security for you.

paypal-code

Caveat

Having multi-factor codes texted to your phone is a great first step into using multi-factor authentication, however it isn’t infallable. Nothing is. There are ways for very determined hackers to clone mobile numbers, or spoof multi-factor authentication pages, so if your account is of particular high value, then you should look below at authenticator apps or hardware keys instead – they are just as easy to use and offer better overall security.

The above being said, you should absolutely have sms multifactor enabled if you have no other multi-factor options available, text multi-factor is infinitely better than not having it enabled so if you just need a simple option to get you started with your account security, then absolutley enable it now!


Authenticator Apps

The next step up from using text messages to get your authentication codes is to use an app.  

Without getting too technical, what the apps do is generate an encryption key between your device and the service in question that allows them both to generate the same code independently of each other. This means that even if you don’t have mobile signal to receive an sms text message, you can still get your authentication code.

With nothing being sent via text here, there’s no danger of your phone number being cloned or spoofed, so that extra hole is shut for hackers here.

The popular Lifehacker blog has listed the best authentication apps for both iPhone and Android devices. Personally I use the Google authenticator app, it allows me to generate codes for all of my online accounts, Facebook, AWS, Google, etc etc but in principle most authenticator apps work in the same way.

Google Authenticator App
Google’s Authenticator App with multiple accounts. The blue marker is a timer, counting down the code’s expiry time. Codes are refreshed every 60 seconds.

How to set-up an authenticator app

In your online account, when you click the option to set up multi-factor you will be shown a QR code on your computer screen.

Within your authenticator app on your mobile phone, you click to add a new code, then scan the code on the screen.

You will be shown your new code with a timer next to it, showing when it expires – your online account will ask you to verify the code you see on your mobile phone to confirm everything is working and that’s it, you’re good to go!


Hardware Authentication Keys

The pro way of doing two-step verification.

A hardware authentication key is a physical key you can plug into your computer to confirm you are the account holder of whichever accounts you have registered with that key.

This isn’t as complicated as it sounds, they’re simply like having house keys, plus spares.

If you’re not convinced, please enjoy this cheesy 30 second video from the guys at Yubikey.

Whichever accounts you’re wanting to protect, you simply register your hardware key, or keys (like your house keys, it’s good to have a spare set) with your account so that going forward, to log into those accounts, you will need to have your key with you to log in.

It’s worth noting that some keys are compatible with NFC so you can use them with your mobile phone to simply touch the device and log in to your account.

Where can I get a Hardware Authentication key from?

There are lots of companies making hardware keys so they’re quite readily availble – I have a Yubikey, but I also hear good things about Google’s titan and TrustKeys – all linked below.


What if I lose my phone or key?  

As part of most two-step verification set-ups, you can use multiple methods of two-step verification so you can set-up backup telephone numbers, email addresses or keys, so you’ll never find yourself locked out of your account.  Google even lets you print out a set of single use only verification codes to keep in a safe place as a further backup.

Always have backups or spares

Like having spare keys for your house, it is worth noting that the more backups or spares you have the more you will need to be aware of where those spares, or backups are.

Nobody can tell you how many backups you will need, that is down to your personal preference and risk management, but you should probably have at least one backup method of logging in.

Google explain more here:

If you lose a key, or change your phone number, remember to log into your accounts and remove those methods of verification from your account and update to your new two-factor details.

Further information about two step verification

I’ve collected links to the help pages from some of the most popular online services here which describe how to set-up two-factor authentication on their services using one or multiple methods as described above.

Google, Gmail, YouTube etc

Google two-factor authentication page describes really well what it is and how it works.

Facebook

Instructions on how to enable two-factor authentication for your Facebook account

Microsoft Office – Hotmail, Live etc

Find out more on using two-step verification for Microsoft services here. Microsoft has its own code generator app for its services.

Paypal

If you want to enable two-factor authentication for your Paypal account, you can enable it quite easily, but only text messaging is supported at the time of writing this blog.

Linked in

How to set-up to factor authentication on your Linked in Profile.

Twitter

How to set-up two-factor authentication for Twitter

Instagram

How to set-up two-factor authentication on Instagram


In summary:

Enable two-factor authentication on all of your online accounts now!

From a personal stand point, I’ve been trying hard to advise friends and family to use two-step verification, but it’s an uphill struggle, it all seems more complicated than it actually is.  It’s really not, and this is part of the reason why I wrote this blog, so I can say “Look, I actually took time out at work to write this!  It’s really important.  You should know about this.” 

You’ll all be making this PMC blogger a very happy guy if you look at two-step verification!

You should have this enabled on all of your accounts!


Improving your passwords

If after all of this you still don’t want to use two-factor authentication, then you definitely should look at how you can improve your passwords, yet keep them easy to remember.
Computerphile have a superb video here that explains in detail just how to do that.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.