In this day and age if you are not using 2FA, you are not taking security seriously. Most of us use our email address to log in to most of our social media, banking or use it to send our password resets to.
Should attackers get access to your email account then they potentially have access to the rest of your accounts unless there is some sort of Two-Factor Authentication set up.
If 2FA is enabled and someone steals or hacks your password for your account, they would not be able to get into your account because they would still need the 2FA to get in because you have your 2FA.
There are three (there are more) common factors used for authentication:
- Something you KNOW : a password, pin or secret question
- Something you HAVE : smartphone, smartcard, security token
- Something you ARE : fingerprint or retina scan
What is 2FA you may ask?
2FA stands for Two-Factor Authentication. So in essence, it takes something you KNOW (username and password) and something you HAVE (smartphone with an authenticator application) as a combination to log in to your account.
When you log in to your email or facebook, you enter your username and password and it logs you straight in. This is known as Single Factor Authentication.
2FA adds a second layer of security whereby once you log in with your username and password, you will be required to enter another piece of information, something you HAVE.
2FA can come in many forms but the most common is either some sort of authenticator application that is installed on your smartphone/computer (Google Authenticator, Microsoft Authenticator, Authy, web-browser plugin), a hardware device (Yubico), or an OTP (One Time Pin) via SMS, but this method via SMS is known to be insecure as this can be easily circumvented in some cases and should only be used in cases where an authenticator application cannot be used at all.
You can use multiple methods to secure your accounts which is then called MFA, Multi-Factor Authentication.
One thing to take note is, when you use an authenticator it is vital to save the recovery codes to your computer or a safe place in the event you lose your smartphone. If the authenticator has a backup option, be sure to use that. You don't want to sit in a situation where you have lost your phone and then you have no way to use the 2FA.
GitHub Example for Two-Factor Authentication
Let's have a look at how this works.
We log in to Github with our user firstname.lastname@example.org and our password test123
We then get prompted to enter our Two-Factor Authentication code that is found in our authenticator application.
And now we will be logged into GitHub.
Setting up Facebook for 2FA
Do note that I am going to use Facebook and Google Authenticator but you could be setting it up for Instagram, GMAIL or Discord and also with another Authenticator Application.
You will have to look in the settings of that specific application and find the 2FA section.
This is to just give you an idea of what to look for and how to set it up for your account.
* Login to your Facebook account, click on the top right and then click "Settings & Privacy" (shown in red)
* Click "Settings"
* Click "Security and Login" on the left hand side.
* On the page you will see "Two-Factor Authentication". Click "Edit" on the right hand side.
* You should see the following in green saying "Recommended" in the Authentiction App section.
* Click "Use Authentication App" in the blue box.
* You will be prompted with a QR code which you now have to scan with the Authenticator Application on your smartphone.
* I installed the Google Authenticator App from the Play Store but yours could be different. (Authy, Microsoft Authenticator, etc)
* Open your Authenticator Application on your smartphone, in my case, Google Authenticator.
* Select the "Scan a QR code" and then point it to the QR code as seen above.
* This will now add your Facebook account.
* On your smartphone's screen you will notice a 6 digit number, along with a timer that counts down and resets that number every 30 seconds.
* Back on your Facebook page you can now enter the 6 digits that is in your Authenticator Application.
* So if the number is showing 123-456, enter 123456 as below.
* You will then be prompted with the following. Click Done
* You will be prompted to enter your Facebook password to confirm.
* Now you will have 2FA enabled on your Facebook account.
* Log out of Facebook and log back in.
* Enter your 2FA code from your Authenticator Application.
* You will be prompted to Remember Browser.
* If you select Save Browser, everytime you log into Facebook with the same browser on the computer, you will not be prompted for the 2FA but if you select Don't Save, you will need to enter your 2FA each time you log in.
* This is only applicable if you log out of Facebook. Closing the browser window does not log you out of Facebook.
I hope this guide was clear enough to follow and you are aware of the dangers of not having at least some form of 2FA enabled on your online accounts.
Should you require any assistance, please feel free to reach out. My twitter DMs are open.
Be safe, be vigilant.