2FA or not 2FA, that is the question

What is 2FA (pronounced too eff ay)? It's short for two-factor authentication.

When you login to something, you start out with only 1-factor authentication - your username and password (yes, it seems like 2, but it only counts as 1). Long, long ago (in IT that's only about 6 months), 1FA was fairly OK, and it was easy. But at this point, there have been so many data breaches that it's almost certain that thieves have at least one of your logins to social media or a financial institution, and it's considered a must-have to use 2FA as many places as you can.

So what can you do?

One thing is to change your password(s) whenever you hear of some breach. It's a tough habit, but something that's needed in this day and age.

But you may ask, "How can I feasibly change every password every. single. time?" Good question. The fact is that it's not feasible. You'd be changing every password almost every month. If you're going to stick with just passwords, then make sure that you at least don't use the same password elsewhere, and make it hard-to-guess (nothing like February2018! or WinterOlympics).

One of the marvels of 2FA is that it adds another layer, or factor, to your login, and that extra factor goes a long way in protecting your login until you can change it sometime down the road. The first factor (username/password) is something that you know. This second factor is something that you have. It depends on how you set it up, but it can send: a code in something like Google Authenticator (a smartphone app); a text to your phone (works whether you have a smartphone or no), or an email. And you'll enter that code in a field after you've entered your password. It's not 1-setting-to-rule-them-all, though. It's per site or service, so it's one setup for your bank, one setup for each social media site, etc.

"But," you ask, "why do I have to enter both a password AND a code every time I login into everything?" The good news is that you don't have to enter it every time. The site you're using (whether bank or social media) typically remembers the computer you're logging in from. So the first time you login in after turning on 2FA for that site you'll have to enter a code after you've gotten it. And then, for quite some time as you log back in from that device, you don't have to re-enter the code. It might have to be re-entered every 30 days, or after you delete your browsing history, but it's not every time, and it's worth the trouble to keep you safer.

"But how does it keep me safer?"

Here's how it does that: Let's say that you set up 2FA for your bank, and you're logging in from home. You just set it up yesterday, and you're good to go for 30 days. The next day, while you're doing/watching/singing something, you get a text from your bank with a 2FA code (often a 5- or 6-digit number). You know you set it up just the day before, and you didn't delete your history. Why are you getting a text? It's because someone (for whatever reason) has your username and password.

The person who just tried to login can't login as you because they don't have your number. You've just been protected from getting hacked. Of course, now you need to log on to your bank account and change your password because someone else knows it, but that's a minimal hassle for knowing that you just kept all of the money you've been saving for that trip, or college, or groceries.

For the most part, setting up 2FA is free. I've heard of some services that require payment, and there are many companies that don't offer it. But by-and-large it's just part of doing business.

2FA is also great to fix many of those password complexities that you don't like. With 2FA, you can just simply make a long password that's easy to remember (correcthorsebatterystaple, e.g. - don't use that one..it's all over the place) and you're very well protected.

Of course, whether or not you use 2FA (especially for those many places that don't offer 2FA), you'll want to have a long and strong password, and it will need to be different from other passwords. But I encourage you to take the time to check out your sites and setup 2FA if they offer it.

Stay safe!