Fact checked and updated on 3/8/2023 by Suzanne Kantra with new recommendations
Topping the list of the most popular passwords of 2022 are "password," "123456," "qwerty." These weak passwords are simple for hackers to crack, but even using strong passwords isn't enough. That's because hackers can still steal your password through clever phishing emails and texts, data breaches, and other vulnerabilities.
That's when two-factor authentication (2FA) can save the day. With 2FA enabled, your username and password are insufficient for hackers to access your account. Anyone trying to log in would need to provide an additional means of verifying your identity, like a one-time use PIN delivered via an app, text message, or email, a physical device that generates a passcode, or a biometric device.
Cybersecurity experts agree that enabling two-factor authentication is a crucial part of online hygiene that makes accounts more difficult to hack. In fact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) now cites the use of single-factor authentication on its list of bad practices.
However, not all two-factor methods are equally secure.
Basic two-factor authentication: code texts and emails
Once the bulwark of tech-savvy cybersecurity, text authentication has been increasingly exposed as vulnerable to scammers. One threat is hackers intercepting calls and text messages containing 2FA codes. The interception can happen at the network level or when your phone number is stolen in a SIM swap, resulting in all text messages routing to the hacker's device.
Phishing attacks are also more likely over text or email, where scammers trick users into handing over their logins through a link, email, or text designed to look like a legitimate service. While users log into the fake site, attackers capture their login and use it for the real site, triggering a genuine 2FA code to be sent to SMS or email – which the user inputs into the spoof site.
Good two-factor authentication: authenticator apps
Rather than receiving a message that can be intercepted, generating codes on a device that's with you largely keeps those codes out of hackers’ reach. That’s where authenticator apps come in.
These apps can be synced with various platforms in your accounts’ settings when you enable 2FA. We like Authy (Android/iOS/Mac/Windows) and Microsoft Authenticator (Android/iOS), which are all easy to use and set up. And, you can back up your account in case you lose your phone.
Whichever you pick, the apps work the same way – by generating six-digit codes that refresh every 30 seconds or so, reducing the likelihood of these codes being scraped and reused. And, authenticator apps generate codes regardless of whether you’re online, which is handy if you’re out of reception.
The only downside comes if you forget your device. Once 2FA is enabled, many accounts require a 2FA code to log in every time, and forgetting your phone means being locked out of these accounts.
Best two-factor authentication: authenticator keys
While authenticator apps are better than codes sent via text message or email, they aren’t totally invulnerable. Phishing attacks, for example, could potentially steal 2FA codes if users are lured to spoof sites to enter a code, and the attacker is able to capture and use the code before it’s refreshed. While an unlikely scenario for the average citizen, activists, politicians, or others whose communications are targeted may need tougher security.
In this case, it’s time to ramp up to an authenticator key, a physical device that plugs into a computer’s USB port, phone's power port, or communicates via NFC with a phone to authenticate logins. Apple just started supporting authenticator keys in iOS 16.3 (find out how to update your old iPhone) and Android phones can be used as authenticator keys when adding your Google account to a device for the first time.
You should always have two authenticator keys. The primary key is for everyday use and the second key is a backup so you won't be locked out of your accounts if you lose your primary key.
One of the most popular is Yubico's YubiKey 5 Series (starting at $50 on Yubico, check YubiKey 5 Series price on Amazon). Once registered, these thumb-size keys instantly work as a second factor for dozens of services. They can also be tapped against NFC-enabled smartphones (which includes all Android phones and iPhone 7 and higher) for authenticating logins on smartphones. YubiKeys need to be tapped before each authentication to verify the user isn't a remote hacker.
An alternative is OnlyKey ($58.99 on OnlyKey.io, check OnlyKey price on Amazon), which comes with a password manager that stores up to 24 accounts in its offline storage. Plug it into a computer during a sign-in, and it automatically fills in the relevant login. This additionally protects passwords from keylogger malware that might be covertly installed on sites.
Whatever method you choose, turn on two-factor authentication
Experts agree that enabling 2FA on your online accounts is essential, whether through SMS, email, app, or a physical key. You may find some services only offer text second-factor authentication, but don’t let the potential for phishing put you off. 2FA doesn't remove any existing hurdles; it puts another one in place.
Whichever method you use, remember 2FA isn't a security silver bullet that can override a weak password or hold off an especially interested hacker. A hacker can still use social engineering to trick you into providing a 2FA code.
The good news, however, is that the crooks still need to entice you to a bogus website first. So don't rush logging in; be extra wary of emails, messages, or pop-ups that lead to external web pages. When entering your login and code online, always check the browser address bar to ensure it’s correct.
Finally, you have another great reason to use that other must-have security feature, a password manager: Not only will it generate and save your hard-to-crack logins, but in case of phishing, your password manager will alert you that the website you’re on isn’t the one you usually use, because it won’t contain a login for the scam site’s URL.
[Image credit: Yubico]
Natasha Stokes has been a technology writer for more than 7 years covering consumer tech issues, digital privacy and cybersecurity. As the features editor at TOP10VPN, she covered online censorship and surveillance that impact the lives of people around the world. Her work has also appeared on BBC Worldwide, CNN, Time and Travel+Leisure.
My mobile hacked
From Julie Casselman on February 06, 2021 :: 8:38 am
I STARTED NOTICING LITTLE THINGS ABOUT A MONTH AHEAD AND THEY FINALLY SNEAKED IN WIPED MY BANK ACCOUNT OF $1200.00 THEY LEFT ME $10.22
PAY CLOSE ATTENTION THE SMALL INSTANCES!!!!