(AKA “2-Step Verification”, AKA “2-Factor Authentication”.)
As you’ve probably noticed, your password isn’t usually the only thing required for you to log in to your online accounts. Almost all websites and apps require a verification code as well. It’s a way of proving you are the account owner (rather than someone who’s figured out your password) by sending a code to a place which only you can access (in theory).Â
This is known as Multi-Factor Authentication (MFA), and it’s a good safety net that’s gained traction due to the prevalence of weak passwords and data leaks.
There are different methods of receiving a verification code. The most common ones are text (i.e., SMS), phone call, email, and using an authenticator app. If multiple people need to access the same online account, MFA needs to be set up on each of their devices. Even if multiple devices can’t use the same authentication method, they can normally use different ones. Don’t be tempted to disable MFA and compromise cybersecurity for the sake of convenience.
Which MFA method is best?
If possible, avoid using text or phone calls, as “SIM-swap fraud” has been a widespread problem. Bad actors will use social engineering to obtain enough personal information to pass security questions, then trick your mobile provider into transferring your phone number to a SIM card which they own. The bad actors can then receive verification codes via text and phone call in order to reset your passwords and log in to your online accounts.
Receiving a code via email may be more secure, but what about logging in to your email account? You could use a different email address to receive the code, but it’s easier to keep all of your MFA needs in one place. That’s why I recommend using an authenticator app.
Respect mah authenticator
When you set up an online account in an authenticator app, the account’s server will generate a code (normally in the form of a QR code) on its website, which you then enter into your app.
This code contains a secret algorithm which will create future verification codes using the current time – called “Time-based One-Time Passwords” (TOTP). The authenticator app will generate a new TOTP every 30 seconds or so, to prevent old ones being used by bad actors. Only the server and the app know the algorithm, so when you input a TOTP generated by the app, it’s checked against the one generated by the server for verification, allowing you to log in.
There are authenticator apps from many different companies, including free ones from Google and Microsoft. However, the most convenient one is that which is included in your password manager. This will autofill both your password and its corresponding TOTP, saving you a lot of time whilst keeping your credentials secure.