It should be no surprise that as a privacy protection company, we take password security pretty seriously. In fact, we recently wrote a helpful guide chock-full of tips for creating the best passwords possible.
Unfortunately, data breaches continue to make waves, and per a recent Verizon study, mobile users are more susceptible to phishing attacks than ever. This means that even if you practice perfect password hygiene, your credentials could wind up in the wrong hands. Security pros recommend an extra layer of defense to help your accounts — and your identity — stay protected.
It’s called two-factor authentication, and it’s a critical element to your security.
What is two-factor authentication?
Two-factor authentication, or 2FA, is a security protocol that involves logging in with both a password and a second verification method to confirm your identity. The second factor usually involves something in your possession, like a smartphone or physical security key.
When 2FA is enabled, you’ll enter your password as usual. Then you’ll be prompted for something else. There are many types of two-factor. Some systems require you to enter a unique code sent to your smartphone. Other methods involve tapping a piece of hardware, such as the YubiKey, against your device; pressing a button on a verification app; or using biometrics — like your fingerprint or a retina scan — to prove you are who you say you are.
Since 2FA involves an extra step, it can slow down the log-in process. However, it’s often a worthwhile tradeoff for the peace of mind two-factor authentication offers.
Say you have 2FA enabled and a cybercriminal gets ahold of your password. Unless the thief also hijacks your smartphone or somehow nabs your security key, your account will probably stay protected.
You’ll often be pinged about any log-in attempts, which puts you one step ahead of a would-be hacker or cybercriminal.
How do I start using 2FA?
There are many ways to activate two-factor authentication. One approach is to individually enable 2FA on all your favorite apps and web-based services. Most of the big service providers — including Google, Facebook, Instagram, and most banks — offer this capability. The instructions for how to do this can usually be found under the ‘Settings’ tab on each individual site.
Since text messages can be intercepted, an authentication app, such as Google Authenticator, is generally considered to be a more secure bet. These apps work by generating one-time security codes for you, with or without an Internet connection. Users enter their password and then press a button in the app or enter an app-generated code to authenticate.
For two-factor that’s not linked to your phone or computer, consider security keys. To start, users must purchase a physical key, such as YubiKey or Google’s Titan Security Key. The keys look like flash drives, and they employ a variety of technologies.
There are various ways to authenticate with a security key. Users may insert the key into a USB port or simply tap the key against their device. Before you buy any hardware, it’s a good idea to look into the services that work with the key to make sure your most-visited sites and apps are covered.
How secure is two-factor authentication?
While 2FA offers another layer of protection, it’s not totally foolproof. Biometrics can be breached. Attackers can hijack your smartphone to swipe codes sent via SMS or phone call. And sophisticated phishing attacks can trick people into sharing 2FA credentials with thieves.
Perhaps security keys are the best bet: Google says it hasn’t had a single account breached since it started requiring its 85,000 employees to use security keys to log on.
Is two-factor authentication enough?
While 2FA offers an additional level of security, it still doesn’t solve every problem of our digital era. That’s why we designed our identity protection service to safeguard employees from many of the threats posed by hackers, identity thieves, and cybercriminals.
If you’re an Allstate Identity Protection member, you can rest assured that our Identity Specialists are available 24/7 should your identity become compromised. You can think of us as your third layer of protection — and the more layers, the better.