In an ideal world, no one would need two-factor authentication. A good, strong password would be enough to keep hackers at bay.
But this life is imperfect, and humans are fallible creatures. We reuse passwords, or rely on ones that are easily guessed or cracked. We share passwords. We accidentally fall for phishing scams during moments of stress and fatigue.
Even when you have a password manager full of entries with long, strong, and unique passwords, other people’s mistakes can trip you up. As the LastPass debacle keeps proving, you can do everything right and still be made painfully vulnerable to security threats.
You need a second line of defense, and that’s two-factor authentication (2FA). It erects another barrier for malicious actors to have to overcome before they can gain unrestricted access to an account.
If you’re not already familiar with 2FA, it’s a form of multi-factor authentication. You use two different ways to verify identity. Passwords serve as “something you know,” and then you pick a second method that qualifies as “something you have” or “something inherent to you”:
- Hardware tokens: You plug a dongle like a Yubikey into your PC and press a button on the device when prompted. (NFC-enabled dongles let you authenticate via a tap against your phone or NFC reader.) These are an extremely strong form of 2FA, since they require you to physically possess the token.
- Software tokens: You input a numeric code generated by an app (e.g., Authy, Aegis, or Microsoft Authenticator) as your second authentication factor.
- Push notifications: A prompt is sent to your phone or other authorized device, asking you to confirm that the login attempt is valid.
- Text (SMS) messages: Similar to software tokens, a numeric code is texted to you for input into the login form.
- Biometric data: You use facial recognition, a fingerprint, or other physical feature as a method of verification.
Jared Newman / Foundry
You’ve likely already used some of these methods on your phone before, and may be familiar with them. For everything else, you can read our primer on setting up 2FA on your accounts. The important part here is applying this second layer of protection to all your accounts.
Yes, I know that no 2FA method is bulletproof (though hardware keys are the closest we’ll get). You can accidentally lock yourself out of an account with software tokens; click “Yes” when you mean “No” for push notifications; see your cell phone account hijacked because someone wants your 2FA codes that badly; or discover someone unlocked your phone with your finger while you were sleeping. You should still use something, though, because having two locks on your door (so to speak) slows down someone from getting into your stuff.
Our Top Password Manager PIck
As we all learned recently, a password manager isn’t impenetrable. Should it be? Yes. Can you pick one that has a reputation of keeping things locked up tight? Absolutely (and our recommendations for the best password managers has an eye to that). But inevitably, someone always has a bad day, whether that’s you or someone else, and a second line of defense can save you a lot of headache whenever that happens next.