Product Reviews
Take Action
Back
SIGN THE PETITION

Fight for Fair Finance

Tell the administration and Congress to stand up for the consumer watchdog that protects you from financial fraud and abuse.
Take Action
Why Do We Have Campaigns?
We're fighting to ensure you and your family can get a fair deal in the marketplace, especially on the choices that matter most: health care, privacy, automobiles, food, finances and more. Join our campaigns and together, we'll hold corporations and lawmakers accountable.

What is two-factor authentication, and why should you use it?

Even the best password is no guarantee of security. Adding a second layer of defense can help you stay safe online.

Published: October 15, 2014 03:15 PM

After it was widely reported that the Dropbox cloud storage service had been hacked, the company reminded its customers to use two-step verification. (Dropbox denies that a breach took place). Many other Internet services provide this option as well, including Google, Facebook, Amazon, and Apple. If you're not taking advantage of this technology, you should.

The idea is this: Even if you create the strongest password in the world, that won't keep criminals out of your account if they get their virtual hands on that password. Consumers who use the same password for multiple accounts are especially vulnerable: If hackers discover one of your accounts' passwords, they will try using it elsewhere too.

Two-step verification goes by various names, including two-factor authentication, but the process is the same. In addition to something you know—a password or PIN—you have to supply an additional credential to log into a secure site. For instance, once you enter a password, your bank or e-mail service may send a text message to your phone with an additional code that you need to enter to access your account.

Two-factor authentication can also use something you are: biometrics, requiring a fingerprint, for example. And the second credential could also involve a physical object, something you have, such as a smart phone or key fob with a built-in authentication mechanism.

Sean Leonard, CEO of a secure Web-mail and encryption company, Penango, says that two-factor authentication really improves your safety "While it is easy to figure out or skim passwords for most user accounts, getting access to the token is much harder,'' he said. "An attacker would have to steal the user’s phone or physical key fob."

Two-factor authentication is familiar in the offline world to anyone who uses an ATM. First you swipe your bank card (something you have) then enter a PIN (something you know). Your bank account is safe from anyone who has either the card or your PIN, but not both.

Online, you usually have to opt in to 2FA. With Google, for instance, you would register your smart-phone number with the company; whenever you log into your Google account for the first time on a new device, you'll receive a text on your phone with a unique verification code. Enter that, and you're in.

Visit our guide to Internet security for more news and advice on staying safe online.

Using 2FA is undoubtedly safer than protecting your accounts with just a password. But there is no such thing as perfect security. If your phone is stolen, the criminal could use a text message to gain access to accounts.

Additionally, 2FA does generate some inconvenience. If the second authentification factor is a physical object, Leonard said: "Users have to carry around the second factor device. If they lose it, it has to be replaced—costing issuers additional time and money. "

Keep in mind these additional tips to stay safe.

  • Never use the same password at more than one account.
  • Create strong passwords: A password that isn't impossible to remember can contain an internal core nonsense word with added characters indicating the site and some symbols you can change if needed.
  • Use “OpenID,” a "technology to log in to one website using another website’s credentials, such as Google or Facebook," Leonard said. "Very large sites have much more sophisticated algorithms to detect and prevent fraud or data breaches."

—Carol Mangis

More resources:
Brown University

Lifehacker
Confident Technologies


E-mail Newsletters

FREE e-mail Newsletters! Choose from cars, safety, health, and more!
Already signed-up?
Manage your newsletters here too.

Online Security News

Cars

Cars Build & Buy Car Buying Service
Save thousands off MSRP with upfront dealer pricing information and a transparent car buying experience.

See your savings

Mobile

Mobile Get Ratings on the go and compare
while you shop

Learn more