Two-Factor Auth (2FA): Crash course
What is 2FA? How do I use it? In this guest article, the basics of 2FA are broken down into a simple crash course!
Two-factor authentication: best practices, and what to know
This article is intended to be a simple “crash course” on two-factor authentication, also known as 2FA for short. I wanted to address some issues by writing this, in particular the lack of accessible or digestible articles on what exactly 2FA is.
I noticed while scouring the internet for basic guides that all the ones I found were in fact highly technical and hard to understand for the average user – so hopefully this guide will be that easy-to-understand one. As a result I will not include highly technical details, there are guides for that elsewhere.
What is it, though?
So what is it? Two-factor authentication aka 2FA is a way to keep your online accounts safe against bad actors (hackers and so forth) and stop them from gaining access to these online accounts. It is generally recommended these days.
In order to understand what exactly 2FA is, let’s use a very basic analogy that you’ve probably heard about elsewhere. Imagine the following:
You have a computer, it has a password and a webcam on top of the monitor. If someone knew your password and typed it in to try and get into the computer, they would be denied access even though they knew the password – and it is because in this hypothetical scenario, the webcam uses facial recognition technology (recognising the user/owner’s face) to log you in. That is a basic form of 2FA!
Nowadays most websites include 2FA as an option. It depends per-website, usually these websites implement one or two of the following: SMS, email, or authentication app.
However these options are not on by default, i.e. when you make an account it isn’t enabled and you have to look in the settings to enable it. Some websites don’t offer 2FA at all (so use a strong password that you don’t use anywhere else)!
SMS
You’ll recognise this one – it’s a form of 2FA delivered via text.
Chances are you’ve already encountered it a few times when signing up for an online account such as Discord, Telegram, etc. You may also encounter it when logging back in to websites. But why?
SMS is used as an one-time authentication method, typically to verify that you aren’t a spammer or robot. It’s also used to verify that you are who you say you are, on the site you’re logging back into.
It’s the least secure method for several reasons. Attackers can ‘hijack’ your phone number and pretend they are you in order to reset passwords and get access to your online accounts, particularly the high-value targets (banking accounts, stocks, and so on). It can be hard to recover from this.
Avoid SMS unless it’s the only option: some security is better than none, after all.
Also another form of 2FA, this time a code or similar delivered via email address. Some examples can be like the following image:
Assuming you are the only one with access to your email address / account, this is a fairly secure method of 2FA.
It is typically used for account login, sometimes this happens for security reasons if you’re logging in from an unfamiliar location or unrecognised browser.
I noted earlier that you are likely the only one with access to your email address or account. Do not give anyone else access even if it is a family member or significant other or friend: they will not likely take the same security measures as you and may be tricked into giving someone else access in several ways!
Choose email 2FA over SMS when and where possible, if the authentication app option is not available. I’ll get to that next.
Authentication app (auth app for short)
This is the most secure method available. It comes as an app on your phone, i.e. something you can access with something you already have (app on phone). There are various auth apps available on Android and iOS:
This list is not representative of all available auth apps, nor do I recommend any particular one – that’s up to you!
The average auth app’s appearance typically looks like this with a one time code rotating every so often:
Why does the one time code change, though?
To try and simplify a rather complex technical explanation: when you enroll with your auth app, the website provides a “secret key” or “code” via a QR code (or it may provide it in plain text on some occasions) for the auth app to accept.
Once accepted, the auth app will generate a one time code, rotating it every so often for security as I wrote earlier. The great thing about this is if someone else gets access to one of these codes somehow, the code will become invalid within a set amount of time.
So this is the most secure method available and I recommend turning it on in all your online accounts if the option is available!
The end
There are more methods beyond these three that you can use, of course. However they are reserved for highly technical users and power users and I want to keep this all as simple as possible, for the least amount of effort required on your part. I hope that this article has been useful to you!
This is our first guest article on the PNLY Blog!
We'd like to thank Pope for their contribution, they're a seasoned Trust & Safety professional and we're very grateful for them breaking down this complicated topic. If you're interested in using 2FA to help keep your Discord server secure from compromised accounts, check out our recent Discord app release.
If you'd like to write for the PNLY Blog, please feel free to reach out to [email protected]!