2FA - how it works and why to use it. What is YubiKey?
Most of us carefully guard our valuables. Our homes have steel doors with multiple locks and home security systems have grown in popularity in recent years. We double-check that our cars are locked and keep our jewellery and other pricy possessions in safes. When it comes to digital security, however, we are often way less cautious. We use passwords to secure our online accounts, but hacking them can be very simple. This is especially true if the passwords we choose are short and easy to remember. Longer passwords, which contain a mix of letters, numbers and symbols, are better security-wise, but can easily be forgotten. On top of that, data leaks happen all the time, rendering even the most secure passwords useless. And once your credentials are leaked, there is no way of getting them back - they will be out there forever.
Why should you use two-factor authentication?
Adding a second layer of protection can help keep your finances and personal information much safer in comparison to using just a password for access. Two-factor authentication (or 2FA) does that by having you provide a second piece of evidence, confirming that you are the rightful owner of the account. These pieces of evidence are the ‘factors’ in two-factor authentication.
Email 2FA and SMS 2FA
Two-factor authentication can be implemented in a number of ways. One option uses an authentication code (a one-time password) you need to enter in order to log in, which is sent to you as an SMS or an email. Therefore, only a person with access to your inbox or physical access to your phone can get into your account. This method is quite popular, as it is easy to use, doesn’t require you to download any additional software and you don’t need to perform any setup. SMS 2FA is generally considered more secure than email 2FA, because your email is not linked to a single device and if it has been compromised, an attacker can take over your other accounts by sending 2FA codes to your email. This, however, doesn’t mean that SMS 2FA is without its vulnerabilities. If you leave your phone unlocked or if you have lock-screen notifications enabled, anyone around you can view your security code. It is also possible for a person to obtain a SIM card with your number with malicious intent, also known as a SIM swap.
Another approach uses an app on your phone to verify that you are the person logging in to the account. These are called authenticator apps. There are many such applications for you to choose from, both paid and free, two of the most popular being Authy and Google Authenticator. To use an authenticator on your phone, first you will need to enable two-factor authentication in the settings of the account you wish to secure. Afterwards, you will receive a secret key, usually in the form of a QR code, which needs to be saved to the app. In the case of a QR code, the key is added automatically when you scan it with your phone. And that’s it for the setup - it is very easy and straight-forward. The next time you log in to the account, in addition to your username and password, you will be asked to provide a verification code, which you can view in your authenticator app. Usually, the code will expire after a short period of time, say, 30 seconds. Most authenticators will allow you to secure the app itself with a pin code, fingerprint or facial recognition for additional protection.
If you have a VPSBG account, you can now use 2FA to secure it with Authy or Google Authenticator - both apps are free and available for iOS and Android. Head to our documentation to learn how you can enable two-factor authentication and how to set it up. It only takes a couple of minutes to ensure that no one can log in to your account, even if your password is compromised.
Hardware 2FA devices
A third option for two-factor authentication, which is quite different from the previous two, employs a hardware device to ensure that only the person in possession of the device can access the account. It is called a hardware security key and visually it can be almost indistinguishable from an ordinary USB drive. There are different devices available on the market, with YubiKey by Yubico being the most popular.
To authenticate, you just connect the hardware key to your computer or device and push a button on it as opposed to entering a security code. How simple is that? And some hardware keys even have a built-in fingerprint scanner for better security and NFC support for more convenient use with mobile devices.
There are several reasons why you would choose a hardware key over the other popular 2FA methods. The most important, naturally, is the higher level of security. The security codes you get via SMS or an app are typically no longer than 6 digits to make them easy and quick to enter manually. Hardware devices can use much longer keys because you don’t need to type them in and these codes are almost impossible to hack or fake. Another reason to use a hardware key is the convenience. If you use it on a computer, just plug in the device via USB-A, USB-C or lightning port (depending on the particular brand and model) and you’ll never have to look for your phone to complete a sign in or key in a security code ever again! And if you need to change devices, migrating is as easy as plugging in the security key to the new device.
The problems with conventional passwords have long been known. They are prone to brute force attacks, data breaches, leaks, phishing and keylogging. Even the most complex password cannot guarantee that your account is 100% protected, unless you use a second factor to secure it.
Imagine having two locks on your front door and losing the key for only one of them. You’ll probably want to change the lock, but in the meantime you can rest assured that the person who finds the key will not be able to get in and steal your valuables, thanks to the second lock. Using two-factor authentication is very similar to this - if someone happens to guess or hack your password, they won’t be able to get in because they don’t have the second factor. And if you use it, you won’t be panicking that your accounts and everything in them is in danger the next time you hear of a major data leak or breach.