Security keys offer the highest level of protection, while authentication apps are more widely supported. Avoid text-message codes if you can.
By guest author Nicole Nguyen from the Wall Street Journal.
Cybercrime is way up and a strong password isn’t enough to protect your money, your work and your family. To protect your accounts from increasingly active evildoers, you need a second factor.
More and more internet accounts offer two-factor authentication, which generally entails a code you input after typing in your password. Requiring that second factor is like having a door with multiple locks: If a burglar gets hold of one key, there’s still another deadbolt sealing the door.
There are different types of two-factor authentication, and each comes with its own security-convenience tradeoffs. Here’s a guide to different options, and what you need to know to protect your digital life.
Use Unique Passwords
Before activating two-factor authentication, take a look at your passwords. How often do you reuse them? Criminals commonly take usernames and passwords leaked from one breach and try the credentials on other sites.
Use a password manager to generate—and remember—long, unique passwords for each of your accounts. For the less tech-savvy, I recommend starting with the free manager built into your browser or operating system. If you use a lot of online services, changing all the credentials can be a tedious, time-consuming task. But it’s worth it, especially if your old passwords have already been exposed in a breach. (Check at haveibeenpwned.com, which won’t ask for your passwords, only your email or phone number.)
Once your passwords are strengthened, turn on two-factor. Not all services support it, and ones that do may bury it in settings, usually under sections labeled “account” or “security.” Once you find it, assess your options. Some services allow you to choose from various types of authentication, and even add multiple as backups.
Security keys are one form of two-factor authentication. They’re little dongles, often USB sticks, that hang from your keychain or plug into your computer. You can use them to authenticate many popular sites such as Google, Facebook and most password managers.
A typical laptop-based flow looks like this: Go to a website or app, type in your username and password, then, when prompted, insert your key into the computer’s port. Touching the key’s gold tip or disc triggers the authentication. For a smartphone or tablet, you can get keys with wireless alternatives, such as near-field communication (NFC), so you don’t even have to insert the key.
Security keys are the most secure factor you can use to protect your account, said Ryan Noon, chief executive at security firm Material Security. To log in, a hacker would need both the password and physical access to the security key, rather than remote access to a string of numbers, he explained.
If you’re at higher risk—perhaps you’re an executive, an administrator who manages sensitive data, a social-media influencer or high-net-worth individual—consider setting up a security key for accounts that support it.
I’ve used Yubico’s keys, which start at USD 25, for years. They’re small, sturdy and well-trusted. (Google and Twitter hand out Yubico keys to their employees.) The most user-friendly setup includes a USD 60 Nano plugged into your primary laptop while in a trusted environment, like a home office, and a USD 55 NFC-enabled key on a keychain to use on the go. Once you log in, check the “Do not ask again on this device” option if available, and you’ll hardly have to interact with the security key.
There are limitations. “Security keys can be a huge pain in the butt to manage for organizations and people,” Mr. Noon said. People lose keys, and that can mean losing access to their accounts. Some accounts allow you to print out a set of single-use access codes for dire circumstances, but it pays to buy and register a spare.
Authentication Apps: Free and Convenient
While many sites support two-factor authentication, not all accept security keys, including PayPal and Amazon. For the rest of your accounts, use an authentication app, which generates time-based login codes. They work even without an internet connection and, as I’ll explain, they’re safer than getting codes via text message.
You can set up a single authentication app for multiple accounts and services. I like Twilio’s Authy because of its user-friendly interface and ability to deliver codes on desktop and mobile. Add extra protection by requiring a fingerprint or face ID to access the app, and turning off “Allow Multi-Device” to prevent attackers from enrolling unauthorized devices using a hacked mobile number.
You can even mix and match your second factors for extra security: Yubico’s authenticator app for desktop and mobile requires security-key authentication.
Just make sure you only input the code when your service requests it, and that you don’t accidentally give it to a malicious website. If you get an email or text message asking to log into a service you use, don’t click the link inside that message. Instead, go to the website or app you normally visit and log in directly.
Some app-based authentication involves push alerts. In rare cases, hackers can employ an attack that triggers multiple notifications, hoping a user accidentally taps “allow” on one of them, so always read before you tap.
Text-Message Codes: Use With Caution
One of the most familiar approaches of two-factor authentication is the code sent via text message. For most people, any extra authentication beats a username and password. Still, you need to know this method’s vulnerability.
“SIM swapping” is where criminals steal a victim’s phone number by duping the carrier into porting the number to a new account. These kinds of attacks are on the rise, according to the Federal Bureau of Investigation, but they are generally targeted attacks, where hackers know who they are after and what they can steal. Prime targets include people with fat bank accounts or crypto wallets.
It’s best to avoid using SMS-based two-factor authentication if you can. For some services, however, it’s the only option. To protect your phone number, log into your carrier account and review the security options. Some will even allow you to add a passcode, which is required if anyone attempts to port the number.
Whatever you choose, make sure your accounts are protected by more than a bad, recycled password.