Passwords are no longer enough. That’s what we keep hearing. Bad people are constantly battering at the door of my digital life looking for a way in, and I need more layers of defence, even if I avoid these classic password boo-boos.

2fa_picEnter two-factor authentication (abbreviated 2FA, a.k.a. 2-step verification if you’re Google, and hashtagged as #2FA on that Twitter thingy). (“Universal 2nd Factor” or U2F is a related technology requiring special bits of hardware. We’ll not go there just yet.)

Like you, I have lots of online accounts, some of which don’t currently use 2FA (I’m not telling you which ones as you might hunt me down in order to cyber-attack me). My first introduction to 2FA was with the UK HMRC web site. They didn’t force me to set it up, as I recall, but I was happy to do so. Now, whenever I need to log in they text me a code which I have to enter in addition to my user name and password.

At this point you (like me) may have some questions, such as:

What problem does 2FA fix?

Sticking with the HMRC example, if someone steals or cracks my HMRC credentials, they still can’t log in as me because they don’t have my phone and can’t receive the 2FA code.

But what if they steal your phone as well?

Not very likely, is it? It could happen, I guess, so let’s assume I’ve been assaulted, they’ve tortured me for my HMRC login and then nicked me phone. I was about to say they’d need to crack my phone security as well, but then I remembered that text messages show a notification on the lock screen – so they might still be able to read the code. Dang it.

Not only that, I did hear of a scammer who managed to scam the mobile phone company as well as the target company so that they were able to receive 2FA codes. No torture or physical theft required. The phone company were negligent and it was a very complex scam, but it worked. (I’d like to include a link to the story but I can’t find it online and, hey, I’m not Wikipedia.)

So the answer is – 2FA could be defeated. Boo.

Aha! And what if you just lose your phone?

That would also be a pain in the proverbial. But HMRC, like all reputable 2FA systems, provides for backup authentication methods. It may be a landline number, another mobile number or even a set of one-time codes you can download and keep for just such a calamitous occasion. (No good keeping them on your phone, naturally.)

So, when configuring 2FA I do need to consider the Plan B option as well.

Do you have to enter a code every time you log in?

With HMRC, yes – that’s how I’ve set it. I don’t use it that often, and the data is highly confidential. But for other accounts, I do live in the slightly troubled territory of Remember me on this computer. We all do it – who wants to log in to everything, every time, on every device? Browsers (or the systems themselves) offer to remember us, or keep us signed in. It’s that balance of security and convenience.

With most systems it’s possible to only require a 2FA code when signing in to a new device. There’s a logic to that because if my account credentials are stolen, chances are that the criminal will try to use them on a computer other than mine. And 2FA will thwart them. (Always assuming they haven’t stolen my phone.) But, as before, there’s a slim chance that the hacking happens directly on my own computer (say with a keylogger loaded by a Trojan). In that case, if I’ve selected “keep me signed in on this computer”, and the digital baddie has control of my PC, I’m doomed. 2FA will not save me. The baddie will access all my secrets and ruin my life.


Is 2FA worth the bother then?

Yes, yes, a thousand times yes. Cyber security is all about risk management, just like physical security. The fact that my front door lock isn’t impenetrable doesn’t stop me using it, because it significantly reduces the chances of a burglary. It makes life harder for would-be thieves. If I add a second factor (like an alarm, security lights or a savage guard dog), it mitigates the risk further. A determined criminal could still bypass it all – but the chances are they won’t bother.

Is 2FA using text messages perfect? Nope. Can it be beaten? Yep. (And not just by stealing my phone, by the way; text messages are unencrypted and can theoretically be intercepted during transmission.) Will it help if I’m already signed in, stay signed in and the criminal has access to my device? Nope.


Will 2FA with text messages usually stop a thief accessing my account on another device? Indeed. And theft of my credentials without loss of my phoneI would submit, your honour, is by far the most likely scenario. Why? Because most credential thefts or cracks don’t involve anyone accessing my computer (or my phone) directly. They’re stolen when a company web site is breached or when I’m dumb enough to be social-engineered or phished.

OK. So you recommend using 2FA?


Although…it’s worth being aware that companies mess up sometimes. Not naming any names, but Facebook have angered people with what they now say is a bug causing users to receive spam texts after setting up 2FA. That particular failing hasn’t caused a security problem – just extreme annoyance. Facebook’s 2FA is relatively new (at the time of writing) so it may be prudent to avoid being among the early adopters when a service first offers 2FA.

Which accounts did you say you don’t have 2FA configured for?

Nice try.