Passwords are just one part of your security; alone they are not enough to keep your online accounts safe. Using multi-factor authentication adds extra steps to your login process. Every extra step is another layer of security and chance to confirm your identity. Helping ensure that you are who you say you are and reducing the risk of someone else gaining access to your account.
Nick Gregory, our Head of Hardware and a data security expert, recommends the “online security trinity” for the best security currently possible.
This is a combination of something you…
- know (a token, password or passphrase)
- have (a key fob, bracelet or mobile phone)
- are (your fingerprint, iris, or voice)
Using all three is called multi-factor authentication. While ideal, it isn’t always easy to do. With passwords still dominant and mobile phones something we all have, the compromise we tend to make is on biometrics. Ditching “something you are” to have just two-factor authentication is a far more realistic way of securing your accounts.
Two-factor authentication (2FA) adds an extra layer of security. Making sure that someone trying to gain access to an online account is who they say they are. Eliminating the problem that humans are predictable when choosing passwords and have bad memories so tend to write things down. 2FA strengthens your identity without relying on your memory or the name of your first pet.
Usually combining your password or passphrase with a time-sensitive code generated by something you have (eg. an app on your phone), two-factor authentication is recommended for all your accounts. “Not all online services offer it, but where possible it is something you should do,” says Nick.
Google Authenticator is the most common way of setting up 2FA, but Nick recommends these two alternatives:
Authy works on any platform that offers use of Google Authenticator. Simply follow the same process as you would for Google, scanning the QR code to get started. Authy’s a safer bet than Google because it works on multiple devices and offers encrypted cloud backups. This is vital if your phone is lost or stolen.
A tiny gadget that’s sturdy and small enough to live on your keyring, the YubiKey is a physical version of Authy. Costing just £17.50 on Amazon, it’s a simple way to add two-factor authentication to your accounts. To log in, enter the username and password for your account, then slot your YubiKey into the USB port on your computer and touch the button. For something mobile compatible you can get slightly pricier YubiKeys with built-in NFC or that fit into your phone’s charging port.
If given a choice during setup, Nick suggests you select to run your two-factor authentication using TOTP (that’s “Time-based One-time Passwords” to you and me) rather than SMS. It’s simply more secure.
Having a backup
If you use one of these services it’s important you keep your backup codes somewhere safe, just in case you get locked out.
A great place to do this is in your password manager, something we recommend as a simple way to manage all your passwords. For example, LastPass has a Secure Notes section just for this sort of thing.
Password managers and two-factor authentication services require you to put a high level of trust in them. But to enjoy the benefit of keeping your online data safe and secure, you have to trust someone!
Most password managers generate secure passwords for you but you’ll inevitably end up having to create a few yourself – to log in to the password manager, for example. If you’d like some advice on creating secure and memorable passwords, read our blog “How secure are your passwords?”.