2FA made easy
Two factor authentication (2FA) is a method of confirming your claimed identity by using a combination of two different factors: something that you know and something that your have.
However, when not implemented properly, 2FA can have unwanted consequences.
Here are a few simple tips to make 2FA easier for the normal everyday people:
1. Use a password manager
The password is the first authentication factor.
Using a second factor is not an excuse to weaken the first one (after all, you want 2FA, not 1.5FA). So good passwords must be long, random, unique and not present in known breaches. Realistically speaking, your best chance to meet these conditions is to use a password manager. LastPass, 1Password and Dashlane are the most popular options.
"Password managers offer greater security and convenience for the use of passwords to access online services. " NIST
Just pick one and start using it today!
2. Password and SMS
Now, with the password problem out of the way, we can start talking about 2FA.
The SMS authentication codes are probably one of the most familiar second factor. And from an accessibility perspective, they work fine: virtually all the mobile phones can receive SMS messages. But from a security point of view, SMS codes have a number of disadvantages, so you should only use them if there is no other factor available.
A password and an SMS is always going to be better than a password alone
3. Password and hardware keys
There are two types of hardware keys: hard tokens (temporary codes generated by a physical device) and U2F security keys (like the YubiKeys). They both offer strong security, but the first type is more common in the enterprise world, while the second type has some platform limitations and come with a price: the cheapest USB-only keys start at around $20.
⚠ Make sure you don't lose them
⚠ Save the rescue codes if the service provider offers them
If you can afford them and if the service accepts them, then go ahead and use hardware keys
4. Password and soft tokens
The soft tokens are generated by apps such as Authy or Microsoft Authenticator. More secure than the SMS and more affordable than the hardware keys, the soft tokens are becoming more and more popular.
Here again, two recommendations:
⚠ Use an app that backs up your codes
This is important in case you lose access to your smartphone
⚠ Save the initial QR codes
Some services will also provide the QR seed or rescue codes. Save these as well.
Soft tokens strike the best balance of security, usability and cost. But be prepared if you lose them!
5. Sometimes, less is more
If a service provider offers more options for the second factor, avoid the temptation to set up all of them. Settle for one, avoid SMS if possible, make sure you have an usable backup and enjoy the day.
For example, PayPal offers at the moment two options for the second factor: SMS and soft tokens. If you set up both, you will be actually less secure than if you set up soft tokens only:
The 2FA is as strong as the weakest second factor
If you're interested, you can read more about the making of this website.
Below you can find detailed 2FA set up guides for the following popular websites: