2FA is a real thing. Passwords are frangible walls keeping unauthorized hackers far away from your accounts. Preserving our digital wallet containing hard-earned dollars is our keen concern in the 21st century. In response to these protective measures, 2FA is the most famous yet effective defense available.
What is 2FA?
Two-factor authorization is often shortened as 2FA and it is basically a security login that is required as a second “separate” factor beyond the password (as a second piece of information). So this independent piece of information is a code (which expires in a few minutes) and it is delivered by a device which is under your control – say, your mobile phone. This doesn’t mean it is an SMS generated code, it could be biometric, such as fingerprints.
Please note that you might have heard about interchangeable terms such as multi-factor authentication or two-step verification, but in this guide we will focus only on 2FA.
Why should you use 2FA?
In the modern world of cyber attacks, where the password breaches are more frequent on a larger base – and it continually takes place – your precious information is sold for minimal bucks and swapped in the dark web market (or hacker forums).
The motives of hackers could ideally be:
- These attackers break into the source for entertainment or harassment;
- Some for $$’s or payday (especially during virtual working environment – it is typically not a personal but financial attack);
- In one of the rare circumstances, the targeted individual must be in the crosshairs.
Did you know?
Email accounts are most worthy, why? This is because your emails are the second source for your (potential) accounts recovery. Here’s how the mechanics work when your account is likely to fall for hijacking:
- Your passwords are predictable, so most of the time intruders guess are successful;
- These large-scale password breaches make things easier for trespassers. These attackers will use the script (that is available on dark web) to try to login. These hacked credentials are useful because they can be perused on multiple accounts.
- Attackers are impersonators and crafty – they create fakes pages to trick aka phishing experiments. This indulges you and at some point they ask you to share your credentials. Let me explain in detail – grab a cup of tea/coffee/water. Bookmark it in the meantime. So the hackers will send you an email that could be in your spam/junk folder. This will come from a trusted source (for instance, Twitter). This will direct you to a credible website, but unfortunately “all that glitter is not gold” this website is under hacker’s control. This means you have to look closely at the sender field, or the login page URL. This is what we call phishing.
- One of its forms is targeted phishing or spear phishing. It is important to understand that hackers always do their homework, especially when they have targeted someone. Your secured information is gathered from public records or your holy grail social media. This helps them create a brilliant pretext for the spear phishing email. Modern hackers are born impersonators (perhaps?), while they impersonate someone in order to direct you to a forged page (login).
These regular phish-y emails disrupt the email services, where enabling of 2FA is deemed to be useful (especially for emails). Make sure to check if your favorite service works in liaison with Twofactorauth.org, where you can follow the handy instructions to Turn On 2FA.
A pretty handy option (both for user and hackers): SMS based 2FA
This is one of the painless ways to access your device, but it is as trustable as your network. This option is useless when you travel around the globe or where there are network issues. When you login to your account, you receive a “ping” on your device, containing a treasure i.e. a confirmation code which could expire if it remains unused. You need to enter the code when you’re prompted while logging in.
Illustration – One of the hackers convinced Verizon to redirect phone messages to a newer sim card on a remote device, this person is none other than Deray McKesson, BLM activist. The interception was made easy by enabling SMS based 2FA.
Did you notice that the password guess work was much of a pain as compared to SMS-based 2FA? Instead of hackers, looking for your physical device, they are looking for remote attacks of stealing your number instead, how? Tricking people is easy. Just in case, if you are wondering how the sim swap works, here is a guide for you: https://www.efani.com/blog/everything-about-sim-swap/
In order to turn on 2FA for Gmail, you have to click on the top right corner (account icon) which will give you an option to open my account, then you can click on sign-in & security, while signing into your Google you can click on two-step verification to get things started.
Punch in your seven digits’ number once your device has been registered. You have the option not to use your number, as you can remove it subsequently. For confirmation you will enter the code sent on your device. Now you can use SMS based 2FA.
Why SMS based 2FA is not too successful?
Unsurprisingly, the most popular method is the least secure. Wait a minute – what? Trust me, the juicy details won’t end here. SMS based 2FA has too many insecure vulnerabilities deprecating the SMS 2FA use.
If you lose your device and your precious SMS-based 2FA is within it, this means you lost it all, especially when you do not have 2FA recovery codes, correct?
Indeed, therein lays the rub.
People can obtain these valuable short-lived codes in numerous ways (as listed in the next segment). Sim cloning makes it easier for hackers to obtain not your smart phone but your valuable connections, money (subverting SMS 2FA on crypto accounts) and even worse – blackmailing. SS7 phony protocol intercepts make things easier for the hacker who can get rid of all in a few seconds and hack YOU.
What is the better option?
Privacy is precious and costless. There are many options such as Authy, Duo Mobile, Google Authenticator, etc. that works well with the temporary code generation. This is where multifactor authentication helps, where multiple authentication could be attached to web services. They work well without the network as well. These solutions cannot be easily intercepted either, unlike SMS based solutions.
In order to activate the authenticator app, you need to download it (per your choice). You have an option to select from Authy to Google authenticator or Duo Mobile. You can scroll down to the authenticator app, where you can click set-up on the 2-step verification page. If you want to register a new service, you will need to scan a barcode that displays on your screen.
This doesn’t mean that multifactor authentication is an absolute answer but these could be entered into phony websites with the premise to steal your login details. We need to think ahead.
These are efficient USB based (physical options to attack with your device) used for account authentication. The most successful and popular (yet cheaper) one’s are Yubikey giving you a sense of security for 20 bucks only. In order to set Yubikey as an option, you first need to purchase it and scroll down to security keys where you can see an option to add a security key. You can rename your newly registered device and physically insert it to Yubikey to tap it when prompted.
NOTE – it is a little expensive to afford Type-C Yubikeys which are used for the Macbooks 2016 and beyond. For USB 2.0 and 3.o port holders, you have the option to use security keys with a Type-C USB adapter.
This is easy when you just have to attach your device or insert security key to the trusted device instead of typing regular codes. Their resistance to phishing attacks make them popular amongst all. Okay, so the problem is you will want to use Yubikeys for everything, but they cannot be used everywhere. These are used to login into Dropbox, Facebook, Google and major other browsers.
Bonus option – Backup codes
If, on a bad day, you lose your authenticator app or security key you have the option to use backup codes. You need to scroll down to backup (numeric) codes and click on set up. Keep these valuable codes.
You can also use a password generator for your accounts, as a second you can secure your deviceas well.
Tip – EFANI
Since everything roams around sim swapping, every second, 3 Americans like you become a victim of cyber-criminals from across the world. Criminals are trading your personal information such as where you live, who you live or work with, your call and SMS records, and your family and relatives’ information. All of this is sold for as little as 20 cents. Criminals use your personal information to steal your number & get into your accounts to drain your finances, disrupt your business and destroy your reputation. We guarantee you protection against these criminals & back it with a $5M Insurance Policy. Our proprietary technology provides 11 layers of client-side integrity, privacy and authentication.Source