“It’s better to get locked out of your accounts by your own doing than by the actions of a threat actor”
Davey is a journalist and consultant specialising in privacy and security issues
@happygeek
I’ve written a lot about ensuring every account that can have two-factor authentication (2FA) activated does so. Adding an extra layer of protection means that if your login credentials are compromised, say a reused password turns up in a breach database traded between cybercriminals, the account itself won’t get compromised.
Of course, there’s no such thing as 100% secure and 2FA is no exception to this rule. 2FA via SMS is at best a 50% score, for example, as there are many known ways that the process itself can be successfully attacked. That’s still 50% better than zero secure, though.
2FA TOTP code authentication apps – that’s a time-based one-time passcode, rather than anything to do with Top of the Pops, sadly – are much better still and hardware-based authentication keys even more so.
But, as reader Andy pointed out in a poignant email: “2FA becomes a jailer when you lose access to your authentication code-spinning device, locking you out of your accounts as surely as if a hacker had got your password.” In Andy’s case, his phone was stolen and his 2FA code app was on that phone –
You’re reading a preview, subscribe to read more.
Start your free 30 days