When it comes to information security, many people think it is a difficult field that only concerns engineers and they don't want to get involved at all.
But in fact, information security exists in our daily life and is closely related to everyone.
Insecure passwords or login settings can cause you to have your account stolen or lose money at any time . Your account may even be used by others to spread fraudulent information or engage in illegal activities. Not only does this put you at risk, but you may also accidentally violate the law, and the losses can be large or small.
Set up two-factor authentication (2FA): Make it harder for hackers to attack
In addition to your password, there’s one more thing you can do to significantly increase the security of your account: set up two-factor authentication (2FA).
This is an extra way to "verify that you are yourself", and it can prevent hackers from invading even if your password is accidentally leaked.
What is Two-Factor Authentication (2FA)?
Two-Factor Authentication is a form of identity verification. Simply put, when logging into an account, in addition to entering the password (which you know), you also need to verify it in another way, such as:
- A one-time verification code (one you own) is sent to your mobile phone
- Insert the physical security key (that you own)
- Use fingerprint or facial recognition (who are you)
Different types of verification methods (for example, in addition to entering a password, a one-time verification code or a fingerprint) can effectively resist most hacker attacks.
There are three types of “factors” used for verification:
- What you know
For example: password, PIN - What you have
For example: physical security key, one-time verification code (OTP, TOTP) - Who are you?
Example: Biometrics
Whether or not there is a mandatory requirement to set “different types” of factors to verify identity will affect the level of security.
Think of your account as the front door of your house. Your password is the key, and once a hacker guesses it, they can walk into your house with impunity.
But if your front door requires an access card or fingerprint recognition to open, even if he steals the key, he can't easily break in. This is the concept of "two-factor authentication": two different locks, protecting you together.
We recommend that you choose "password + physical device" or "password + biometrics", which are more secure and less vulnerable to attacks.
If you want to keep it simple, that's OK
In fact, it is not difficult to enable two-factor authentication. Just go to the security settings of your account and enable the relevant function and follow the instructions step by step. Now many websites also have tutorials, which can be set up in a few minutes, making it instantly more difficult for hackers.
If you’ve ever heard the term “MFA (multi-factor authentication)”, it’s actually an extended version of 2FA.
In fact, 2FA is a type of MFA! Extended explanation to understand it all at once
The "two-factor authentication (2FA)" we mentioned earlier is actually the most common "multi-factor authentication (MFA)".
The concept of MFA is very simple: as long as two or more different types of verification methods are used at the same time, such as "password (known)" + "mobile phone text message verification code (possess)" + "fingerprint (who you are)", it is MFA.
Although the names are different, the actual operation is not more complicated. One more factor means one more line of defense, making it more difficult for hackers to succeed. For those who need to protect important accounts, internal corporate data or key services, MFA is a higher level of security.
Additional Notes
If you want to know more, what is the difference between "two-step verification", "two-factor authentication" and "2FA" and "MFA"? In fact, the core difference lies in whether different types of verification methods are used and the number of verification steps. But for most people, just remember: if you want to improve security, "verify two different methods together" is right.
Common factor authentication methods
1. SMS or email verification code (OTP)
- There is a chance that the verification code will not be received, and the security is relatively low
- Vulnerable to website stability
- The account was locked due to the failure to receive the verification code and the number of attempts to send OTP exceeded the limit.
- Verification code blocked
2. Verification Code App (TOTP)
- Download and use a verification code app (e.g. Google Authenticator, Authy)
- Operation Introduction
- Install a verification code app on your device (phone, tablet or computer) and use this app to link the account created on the website to your device
- When you want to log in to the account on the website later, enter your account and password as usual. Go to the next step and the website will ask you to enter a verification code.
- Open the verification code application and enter the verification code displayed
- You can log in successfully
* This verification code will change over time*
- This method is safer and more stable than OTP
3. Physical Security Key
- Hardware devices (e.g. Yubikey, OnlyKey)
▹ Connect via USB or NFC
▹ Must be carried with you
▹ Better USB compatibility and stability
▹ NFC wireless connection is more convenient, but it may be affected by the phone case and device support, resulting in connection problems
▹ Considered the most secure authentication method, currently the most secure login authentication method
▹ First-level institutions such as government and hospitals where confidential information disclosure is prohibited require employees to use
▹ Highly versatile and can be used in a variety of different login scenarios (for example: password-free login, two-step verification, SSH remote login to a computer or server)
4. Device-built security key (Platform Authenticator)
- Usually bound to mobile phones, tablets, and computers
- Login is usually done with biometrics or PIN verification
- The keys are usually managed by the operating system and stored in the device's secure element.
- If cloud synchronization is enabled, the risk depends on the supplier's policies and regulations
▹ If you do not enable cloud synchronization, you can avoid security concerns, but if you lose your device, you lose your key, and you cannot use it across devices, restore or back up...
▹ American companies such as Apple and Google must comply with the legitimate investigative requests of the US government (e.g., subpoenas or court orders issued in accordance with legal procedures). Therefore, under certain circumstances, the US government has the opportunity to obtain cloud-synchronized data.
Other verification methods
- Push Notifications
1. Approve the login request via a trusted device (e.g. mobile app)
2. Convenient, but risky if the device is hacked - Magic Link
1. The user receives an email with a clickable one-time login link
2. No need to enter a password, but relies on the security of email and has a short validity period
At last
When you enable 2FA or MFA, it is not just an extra procedure, but an extra layer of defense to protect your account. This layer of defense can effectively reduce the risk of account theft, making it difficult for hackers to log in successfully even if they know your password.
With the widespread use of the Internet, information security has become a topic that everyone should pay attention to. We will continue to share more information security-related content to help everyone establish correct concepts, reduce potential risks, avoid unnecessary troubles, and create a safer and more secure digital life!
Summarizing best practices
- Enable 2FA/MFA on all services where possible for an added layer of security
- Prefer TOTP or physical security keys over SMS or email
- Regularly review and update 2FA/MFA settings (e.g. remove old devices)
- Safely store backup authentication methods (e.g. recovery codes)
