What is Two-Factor Authorization (2FA)
2FA is a real thing. Passwords are frangible walls keeping unauthorized hackers far away from your accounts. Preserving our digital wallets containing hard-earned dollars is our keen concern in the 21st century. In response to these protective measures, 2FA is the most famous yet influential defence available.
What is 2FA?
Two-factor authorization is often shortened as 2FA, and it is a secure login that is required as a second "separate" factor beyond the password (as the second piece of information). So this independent piece of information is a code (which expires in a few minutes), and it is delivered by a device under your control – your mobile phone. This doesn't mean it is an SMS-generated code. It could be biometric, such as fingerprints.
Please note that you might have heard about interchangeable terms such as multifactor authentication or two-step verification, but in this guide, we will focus only on 2FA.
Why should you use 2FA?
In the modern world of cyber attacks, where password breaches are more frequent on a more extensive base – and it continually takes place – your precious information is sold for minimal bucks and swapped in the dark web market (or hacker forums).
The motives of hackers could ideally be:
- These attackers break into the source for entertainment or harassment;
- Some for $'s or payday (especially during virtual working environment – it is typically not a personal but financial attack);
- In one of the rare circumstances, the targeted individual must be in the crosshairs.
Did you know?
Email accounts are most worthy. Why? This is because your emails are the second source for recovery of your (potential) accounts. Here's how the mechanics work when your account is likely to fall for a hijacking:
- Your passwords are predictable, so most of the time, intruders' guesses are successful;
- These large-scale password breaches make things easier for trespassers. These attackers will use the script (that is available on the dark web) to try to log in. These hacked credentials are helpful because they can be perused on multiple accounts.
- Attackers are impersonators and crafty – they create fake pages to trick phishing experiments. This indulges you, and they ask you to share your credentials at some point. Let me explain in detail – grab a cup of tea/coffee/water. Bookmark it in the meantime. So the hackers will send you an email that could be in your spam/junk folder. This will come from a trusted source (for instance, Twitter). This will direct you to a credible website, but unfortunately, "all that glitter is not gold" this website is under hackers' control. This means you have to look closely at the sender field or the login page URL. This is what we call phishing.
- One of its forms is targeted phishing or spear phishing. It is essential to understand that hackers always do their homework, mainly when they have targeted someone. Your secured information is gathered from public records or your holy grail on social media. This helps them create a brilliant pretext for the spear phishing email. Modern hackers are born impersonators (perhaps?), while they impersonate someone to direct you to a forged page (login).
These regular phish-y emails disrupt the email services, where enabling 2FA is deemed valid (especially for emails). Check if your favorite service works in liaison with Twofactorauth.org, where you can follow the handy instructions to Turn On 2FA.
A pretty handy option (both for users and hackers): SMS-based 2FA
This is one of the painless ways to access your device, but it is as trustable as your network. This option is useless when you travel around the globe or where there are network issues. When you log in to your account, you receive a "ping" on your device containing a treasure, i.e. a confirmation code that could expire if it remains unused. You need to enter the code when you're prompted while logging in.
Illustration – One of the hackers convinced Verizon to redirect phone messages to a newer sim card on a remote device. This person is Deray McKesson, a BLM (Black Lives Matter) activist. The interception was made easy by enabling SMS-based 2FA.
Did you notice that the password guesswork is as much of a pain as compared SMS-based 2FA? Instead of hackers looking for your physical device, they are looking for remote attacks of stealing your number. How? Tricking people is easy.
Also, Read How The SIM Swap Works
To turn on 2FA for Gmail, you must click on the top right corner (account icon), which will give you an option to open your account. Then, you can click on sign-in & security. While signing into your Google, you can click on two-step verification to start things.
Punch in your seven digits number once your device has been registered. You have the option not to use your number, as you can remove it subsequently. For confirmation, you will enter the code sent on your device. Now you can use SMS-based 2FA.
Why is SMS-based 2FA not too successful?
Unsurprisingly, the most popular method is the least secure. Wait a minute – what? Trust me, the juicy details won't end here. SMS-based 2FA has too many insecure vulnerabilities deprecating the SMS 2FA use.
If you lose your device and your precious SMS-based 2FA is within it, this means you lost it all, especially when you do not have 2FA recovery codes, correct?
Indeed, therein lays the rub.
People can obtain these valuable short-lived codes in numerous ways (as listed in the next segment). Sim cloning makes it easier for hackers to obtain not your smartphone but your valuable connections, money (subverting SMS 2FA on crypto accounts) and even worse – blackmailing. SS7 phony protocol intercepts make things easier for the hacker who can get rid of all in a few seconds and hack YOU.
What is the better option?
Privacy is precious. Many options, such as Authy, Google Authenticator, etc., work well with the temporary code generation. This is where multifactor authentication helps, where multiple authentications could be attached to web services. They work well without the network as well. These solutions cannot be easily intercepted either, unlike SMS-based solutions.
To activate the authenticator app, you need to download it (per your choice). You have an option to select from Authy to Google authenticator or Duo Mobile. You can scroll down to the authenticator app, where you can click set-up on the 2-step verification page. If you want to register a new service, you will need to scan a barcode that displays on your screen.
This doesn't mean that multifactor authentication is an absolute answer, but these could be entered into fake websites with the premise of stealing your login details. We need to think ahead.
These are efficient USB-based (physical options to attack your device) used for account authentication. The most successful and famous (yet cheaper) ones are Yubikey giving you a sense of security for 20 bucks only. To set Yubikey as an option, you first need to purchase it and scroll down to security keys, where you can see an option to add a security key. You can rename your newly registered device and physically insert it to Yubikey to tap it when prompted.
NOTE – it is a little expensive to afford Type-C Yubikeys, which are used for the Macbooks 2016 and beyond. For USB 2.0 and 3.0 port holders, you can use security keys with a Type-C USB adapter.
This is easy when you just have to attach your device or insert a security key to the trusted device instead of typing regular codes. Their resistance to phishing attacks makes them popular amongst all. Okay, so the problem is you want to use Yubikeys for everything, but they cannot be used everywhere. These are used to login into Dropbox, Facebook, Google, and other browsers.
Bonus option – Backup codes
If on a bad day, you lose your authenticator app or security key, you have the option to use backup codes. You must scroll down to backup (numeric) codes and click on set up. Keep these valuable codes.
You can also use a password manager for your accounts. As a second, you can secure your device as well.
Tip – EFANI
Since everything roams around sim swapping, 3 Americans like you become a victim of cyber-criminals from across the world every second. Criminals are trading your personal information, such as where you live, who you live or work with, your call and SMS records, and your family and relatives information. All of this is sold for as little as 20 cents. Criminals use your personal information to steal your number & get into your accounts to drain your finances, disrupt your business and destroy your reputation. We guarantee you protection against these criminals & back it with a $5M Insurance Policy. Our proprietary technology provides 11 layers of client-side integrity, privacy, and authentication.
Want Guaranteed Protection Against SIM Swap? Reach Out to Us.