editione1.0.0
Updated October 9, 2023A long, long time ago it was perfectly OK to use just a password to access your account—since the availability of tools to guess your password was limited, and those accounts also didn’t have as much value as they do today. Nowadays, you need to take a few steps to prove who you are to make it harder for people to bypass or trick their way into your account. One essential way to achieve this is to use two-factor authentication.
Definition Two-factor authentication (2FA) is a security measure that requires two modes of identification before access to a system or application is allowed. You may also see such multi-step authentication processes called multi-factor authentication (MFA) (when more than two factors are used) or two-step verification (2SV) (which is almost the same, but the steps may be on the same device).* For simplicity, we’ll just refer to all of these options as 2FA in this book.
important 2FA is especially important for your email account.
As with “strong” encryption, it can be hard to assess if 2FA is “strong” without expertise in IT security. A few options for 2FA exist, and I’ll provide a high-level overview from most to least secure:
The best 2FA method is the use of a physical security key as this requires that you physically have the key to log in. These are also called hardware security keys. The most popular provider is Yubico with their YubiKey products. These keys use cryptography to generate and share secret keys each time they are plugged in or near your device, and tapped. All the secure transfer of secrets is done by the key. Because they rely on cryptography and a physical device, this is the hardest method for attackers to bypass. These keys even work wirelessly (Bluetooth and NFC), which means they are mobile friendly too.
The next best 2FA method you can use is push notifications. Physical keys might not be your jam. Maybe you don’t want to carry a physical dongle around, but you are more attached to your phone than anything. This requires you to have a specific mobile app or mobile operating system (such as YouTube on iOS) to set it up. That way when you log into your email, you would need to accept a prompt on your phone, asking if you are trying to log in.
The next best option after a push notification is a one-time password sent via an application. This is an auto-generated code that is refreshed every 30 seconds or so. The only way to get the code is via a mobile app, password manager, or cloud-based web application (like Authy). This is a step down from push notifications because they can still be phished and an attacker can trick you into giving them this code.
There are options beyond these three. These include one-time passwords sent via SMS, and knowledge-based questions (“security questions”). However, these are significantly less secure and I do not recommend them.
danger If possible, avoid SMS-based 2FA. Weaknesses in phone providers’ systems that may permit switching SIM cards to new phones without proper verification prevent SMS from being a strong authentication method.
danger Knowledge-based questions are the weakest form of additional account security. The answer to questions like “What is the name of your high school?” are easy to find with social media, and are the weakest form of authentication out there.
Bottom line, if these are the only two methods available, that email provider is not safe for you to use.
controversy There are varying opinions from experts on which method is best and how much protection weaker 2FA methods offer. I can confidently say any 2FA is better than none. This is especially the case for when we start talking through all the other accounts you need to protect, where the two-factor options might be limited but there are no other competitors to switch to. When it comes to email though, you need to set the bar higher with a safer method of 2FA and not compromise. SMS-based two-factor might be OK for one social media platform if there are no other options and that is where your target audience hangs out, but it is not OK for your email.
You may even wish to configure more than one 2FA option for very important accounts like your email. This is sometimes known as using “tiered” backups. You can set up both physical security token and authentication apps as multi-factor authentication options and then if you don’t have access to one, you can still get access via your backup option.
confusion When considering which method to use for 2FA, also consider the fact that you don’t have to log into a fresh device very often. You likely use the same phone, laptop, and tablet for accessing your email. Unless you are using a shared device, you can stay logged into your devices and will only be prompted to log back in once every few weeks or months.
After going through the process of configuring 2FA settings, you might get to the end of the steps and see a new term used: backup codes.
Backup codes (or recovery codes) are “break glass” codes that can be used as a backup option in the event something happens with the device you use to generate the two-factor codes.
The list of apps for generating two-factor codes is long and includes Google Authenticator, Authy, Microsoft Authenticator, Duo Security, and others. When you use an app on your phone to generate those codes, it generates keys that are stored on your phone so only your phone can generate the right codes to get into your account. If you experience that horrific moment of losing or breaking your phone, those keys may be lost. All hope is not lost, however, and that is why you are given backup codes at the end of that set-up process.