This is the third post in a multi-part series on computer security essentials. I am not a computer security expert but there’s some basic computer security essentials that a surprising number of people don’t understand. The aim of this series is to raise awareness of these. I will be covering password vaults, two factor authentication, devices and local encryption.
Multi-factor authentication is a method of accessing your accounts whereby you need multiple factors of authentication: typically a combination of something you know (such as a password), something you hold (such as a device or card) and/or something about you (such as fingerprints or iris etc.).
Two-factor authentication (commonly called 2FA) is the most common form of multi-factor authentication and is supported on a large number of online services.
Some time ago two-factor authentication for online services typically used a physical fob/token to generate a one-time password but there were many downsides including expense, delayed access and portability.
These days two-factor authentication usually consists of a free app running on a smartphone which generates a one-time password above which you enter in addition to your regular password to log onto a site or service.
I originally used Google Authenticator for these but I have since moved to Authy on iOS because, as of a few months ago at least, Google Authenticator provides no convenient mechanism to move codes across devices (besides disabling and reenabling 2FA for every site you use).
Some sites also allow you to use SMS for two-factor authentication, but this may be less convenient if for example you’re travelling in a different country using a different SIM card and don’t have easy access to your SMS that you specified for your account.
Some password managers also allow you to generate one-time passwords like LastPass and 1Password. I prefer to keep my one-time passwords separate from my regular passwords.
Sites that use multi factor authentication allow you to generate and print backup codes in case you can’t access your device. You can print and store these securely, but you should never store these in your password vault as this defeats the purpose of having multi-factor authentication since these codes bypass your multi factor authentication.
You should enable multi-factor for any site that you use that supports it. WordPress.com, Google, Github and Slack all support two-factor authentication. You can look up to see which online services support it on this handy website.