Several online services, including Digid, Google and Twitter offer 2FA or two-step verification as an extra layer of security on top of your password. If you enable this feature, a second authentication method will be requested in addition to your password.
One-time code
This second method (factor) is usually a one-time code generated by an authentication app such as Authy, or by a hardware “two factor authentication” key that looks like a small USB flash drive.
Why do I need to use 2FA?
A password has always been a common form of authentication. But passwords can fall into the wrong hands. Here are some facts about passwords:
-90% of passwords can be cracked in less than six hours.
-35% of the Dutch use the same password for multiple accounts .
Password vulnerability is the main reason for using 2FA.
By enabling 2FA, you make it a lot harder for someone to steal your data. After all, with 2FA enabled, this person has no use for just your password. Just like no one has any use for just your bank card.
You can know everything about me
When you go to PIN, you need two things to identify yourself.
1. A debit card
2. A PIN
This is a form of 2FA. It is a way to identify yourself with something you know such as a password or PIN and something you own such as a pass or hardware token.
There are three generally recognized components for verification:
- Something you know (your password, security PIN etc)
- Something you own (smartphone, SIM card, USB security key)
- Something physically unique to you (fingerprint, iris)
Two-Factor Authentication requires a combination of two of the above components, and only then do you speak of two-factor authentication.
SMS is not included here. (More on this later).
Are there any drawbacks to 2FA?
There is a risk of being blocked from your account if you lose your phone, for example, because then you won’t be able to access your authentication app yourself.
For this reason, many 2FA services offer a short list of one-time “backup” or “recovery” codes. Each code can only be used once to log into your account and is not usable after that. If you find yourself worried about losing access to your phone or other authentication device, print out these codes and keep them in a safe place.
Note that should someone get hold of your password as well as the list of codes, he or she can still access your account. So keep these things well separated. By the way, you always have the option of generating a new list of backup codes, and with that the other backup codes will expire.
Sim-swapping
SMS is not really considered 2FA because both your password and the code fall into the same category something you know. SMS authentication is considered less secure as an authentication method.
In sim-swapping, a hacker calls the victim’s telecom provider
up and convinces the employee to transfer the 06 number to
A SIM card in his possession.
Telecom providers ask a number of security questions to verify
Whether the person calling is actually the customer. It is then about your
name, home address, date of birth and sometimes the last four digits of your
account number.
Hackers collect that kind of information online,
for example, by nosing into data breaches where this kind of information can be
find. These days, data breaches are on the rise.
If you worry yourself about that then you can turn off SMS authentication and use an authentication app such as Authy or Authenticator (iOS). Unfortunately, this option is not available with every 2FA service. DigiD, for example, does offer this option.
In addition, with SMS authentication you also give away your phone number
to companies such as Twitter, Google and Facebook. That makes SMS in terms of
privacy a less appropriate method.
Source: RTL News
ALWAYS use strong passwords (or passphrases)
You might think that with 2FA enabled, you no longer need a strong password, but that is not the case. When it comes to security and privacy, every weak link is one too many. Make it easy on yourself and use a password manager such as Bitwarden.
Setting up 2FA
More and more services are offering 2FA (double authentication). On Linkedin, for example, you can find it at Settings and Privacy -> Account. You have to install a 2FA app for this. Setting up is pretty easy. Often all you have to do in the app is to photograph a QR code. Just remember to print out your recovery codes and put them in your safe.
Authenticators and privacy
For a comprehensive list of sites that support 2FA, visit https://twofactorauth.org/.