Everything you need to know about 2FA

From emails and messages to corporate files and bank details, a lot of personal and sensitive information lies behind the protective shield of passwords. With data breaches on the rise, passwords can become an easy entry point for cybercriminals. Two-factor authentication (2FA), also known as multi-factor authentication, has emerged as a reliable method to secure your online accounts. It’s a simple but powerful tool to compensate for the vulnerabilities of traditional password logins, making it significantly harder for cybercriminals to gain unauthorised access to your personal or business accounts.

Find out:

How 2FA works

As the name suggests, 2FA requires two different identification factors to log into an account. In most cases, it’s a combination of something you know (your password) and something you have (a code received on a device or in email/text, or biometric data like a fingerprint, face, or retina scan).

When you log into one of your online accounts, you are first asked to enter your username/email address and the password you have chosen for this account. With 2FA activated on your account, the system will prompt you for the second authentication factor. If ‘something you have’ is your second factor, you will receive a code or one-time password on your selected device.

This could be:

  • A code sent via SMS to a phone number you have selected
  • A code sent to your email address
  • A code generated in an authenticator app on a mobile device

Once you have successfully entered the second factor of authentication, the system will verify your identity and grant you access to your account. Logging in with multi-factor authentication takes a little longer, which can be frustrating, but it makes an enormous difference in keeping your digital assets safe. And when you compare the small frustration with the alternative of having money stolen from your bank account or your personal identity compromised, a little extra time becomes insignificant!

Why 2FA works and why it’s important

With cyber incidents on the rise, it has become essential to add 2FA to your accounts as an extra layer of protection as this example about a local tradie whose email account was compromised demonstrates. Even if you have a long and complex password, there are several vulnerabilities to it that a cybercriminal can exploit. Passwords can be stolen through phishing attacks, malware, or data breaches - often through no fault of your own and even in cases where you weren’t directly involved.

However, with 2FA enabled, even if cybercriminals discover your username and password, they won’t have access to the second factor required to log into your account. This added layer of security protects your personal and business accounts from attacks and makes it significantly harder for cybercriminals to obtain your data, likely leading them to move on to a more vulnerable target.

How to set up 2FA

The majority of online accounts will come with the option to set up some form of multi-factor authentication. When you log into an account look through the account settings (often under your profile icon in the top right-hand corner of the app you are trying to secure) and look for privacy settings. Find multi-factor or 2FA setup and follow the setup instructions. The process will always be essentially the same:

  1. Agree to turn on multifactor authentication.
  2. Select the format you would like to use to receive codes (authentication app, email address, text to a mobile number).
  3. If you choose authenticator app, make sure the app is downloaded on your phone*, then open the app and select the option to add a new login (indicated by a + sign). Using the authenticator app scan the QR code offered by the account you are securing, or enter the provided setup code.
  4. A code will be immediately sent to your nominated authentication method. Retrieve this code from either email/text or the authenticator app and enter it into the account setup page. This tests the setup and confirms that the 2FA connection is successful and will be required for future logins to the account.

IMPORTANT NOTE: Take the time to do the full setup and complete the backup recovery contacts and recovery codes offered. This step is important. If for some reason you lose access to one or other of your verification methods (you forget your password for example, or lose your phone) you WILL need a backup method. Once 2-factor authentication is set up your account is now secure, remember? You, too, will be denied access if you cannot properly verify your identity.

* If you choose to use an authentication app for receiving 2FA codes, Microsoft and Google both offer an app you can use for securing any account. Load one of the apps onto your phone from the PlayStore/Apple store and connect it to each of your accounts by using the app to scan the QR code provided during the 2FA setup process in whichever account you are securing.

What accounts should be secured?

Bank accounts should obviously be secured and banks often have proprietary systems for ensuring multi-factor authentication. But email and social media accounts are super important too. Hacking email accounts is a classic way cybercriminals gain personal information to scam or impersonate you. And social media accounts are a part of your personal identity. Particularly if your social media account is connected to your business Facebook page, having your access compromised can be dire. Imagine being locked out of your business Facebook account and having no control over how a cybercriminal changes your page’s content for all your customers to see - it happens! Anyone with admin access to a business page should have 2FA active on their personal profile.

2FA - so what’s the catch?

Nothing is ever perfect and multi-factor authentication is no exception. Cybercriminals have devised a method to fool even this previously bulletproof technology. It’s the human side of the 2FA process that has been targeted as the weakness. Criminals use phishing and impersonation techniques to fool users into clicking on fake links in email, text or messaging apps and through fake login pages manipulate the user into delivering the password AND 2FA code straight to the criminal … who then logs into the legitimate account.

The key is to remain knowledgeable and vigilant so you stay in control of your account logins and therefore stay secure. Find out how to spot and avoid these scams here.

Our cyber security services

For your business: Apart from enabling 2FA, there are several steps you can take to protect yourself and your business from cyber threats. To get expert advice on cyber security and implement security processes for your business, check out IT Basecamp’s cyber security concierge service Cyber Heroes.

For your family: For more information on cyber security measures and how to identify cyber threats, take our free Cyber Security Fundamentals course and read our blog on 2FA phishing attacks. Make sure to share this information with your colleagues and family members to protect yourself and others from cyber attacks.