Let's Get 2nd Level

The last step in this three part blog post, is to enable two-factor authentication (2FA) for any account supporting it (full list here). 2FA can help you buy some time to lock down your accounts if your devices are stolen or passwords are leaked in a data breach. The premise is that you can prove you are the owner of an account because you carry something personal a criminal would not have access to; single use codes delivered or generated on your mobile phone. To be clear there is a difference between 2FA and two-step verification (2SV), and most services actually provide 2SV using your phone while claiming 2FA. Instead of focusing on this technical distinction, it is more important to realize companies will try everything to get you back into your account for your continued patronage. If you don't have access to your phone or have other login problems, companies give you a backup method of logging in via your email or a security question. Clearly, 2FA is only as strong as the password for your recovery email account or your chosen security questions and answers. If you haven't already, fix these first, before proceeding.

Most services will ask whether you want to be prompted for a code on every login or to trust the computer/phone you are currently using and skip the code challenge in the future. To maintain your sanity in the face of entering one time codes for everything you do online, try taking a risk based approach such as this:

  • For government, health, financial, utilities, and other sensitive accounts, choose to always prompt for a code
  • For accounts that can make big purchases/transfers on your behalf (Amazon, eBay, Venmo, PayPal, etc.), choose to always prompt for a code
  • For most other accounts that don't directly have your payment information or your SSN/DL (social websites, email accounts, etc) selectively choose to remember the devices

Do I want to be prompted for a special code every time before:

  • accessing my life savings at my brokerage or bank account?
  • enrolling for my Social Security benefits?
  • reading my blood test results at my health provider?
  • transferring out money from my Venmo account?
  • buying a macbook on Amazon?

HECK YES!

Do I want to be prompted for a special code every time before:

  • writing a review on Yelp?
  • posting a photo to Instagram?
  • joining a Meetup?
  • buying an Eventbrite ticket?

No thanks, unless you don't recognize the computer/phone I'm using.

To make managing one time codes even easier, some companies integrate with Google Authenticator, allowing you to download an app that can generate these codes even when your phone doesn't have internet or cellular access. Hopefully this list grows over time, especially after Amazon recently started offering support for it.