I was digging through my Credit Karma account the other day and came across an ominous warning, “We found your info in 13 data breaches including 1 exposed password”. The info referenced was my email address, some usernames, and the 1 password. I’ve always been fairly careful to create unique passwords for every login I use (consider that an account security basics must, if you do not already), but with advanced hacking techniques these days, that’s usually not enough to keep your accounts safe.
With the warning providing incentive, I decided to take action to protect myself by performing a security audit and enabling 2-factor authentication on all of the accounts that I had not previously done so, to add an additional layer of security, starting with my financial accounts near the top of the list (the thought of a hacker having free reign in my Vanguard account is enough to keep me awake at night!). I’d recommend that all readers do the same, ASAP. As hackers have upped their game, I’ve heard from a number of people that hackers have recently attempted to access their financial accounts. And with the possibility of an international cyber war escalating in recent weeks, now is the time to take action to protect yourself.
2-Step Verification vs. 2 Factor Authentication
Before we get started, let’s first cover what “2-Step Verification”, “2 Factor Authentication”, “Multi-Factor Authentication”, and “Two-Step Authentication” are:
- 2-Step Verification (or “2-Step Authentication”): is a type of authentication that uses 2 steps (usually 1 factor type) of authentication.
- 2-Factor Authentication (or “Multi-Factor Authentication): is a type of authentication that uses 2 distinct factors of authentication.
There are 3 different factors of authentication:
- Knowledge Factor: what the user knows (e.g. a security question or password)
- Inherence Factor: who the user is, biometrics (e.g.: a fingerprint or facial recognition)
- Possession Factor: what the user has (e.g.: a mobile phone and SMS code or a security key from an authentication app)
Companies use the 2-Step/2-Factor terms interchangeably (and often incorrectly), so the terminology has lost meaning, but the basic premise is this: a hacker may be able to get access to your login and even your password, but in order to beat 2-Factor/2-Step, they’d also have to get into your phone or email account to intercept the OTP. This dramatically lowers the universe of people who could hack your account to every hacker on the planet to just those who also have access to your phone or email.
I can tell you that the large majority of online accounts still rely exclusively on the following 2-Factor Authentication method (without choice):
- A username/email and password, paired with
- A recognized device, and an SMS (text) OTP for an unrecognized device
For most of us, that will be good enough, and a massive improvement over access relying on only 1-factor password, but opt for an authentication app if you would like the extra peace of mind and the option is available to you. There has been a movement to encourage people to receive passcodes through authentication apps such as Google Authenticator (Android and iOS), Authy, and Microsoft Authenticator as they are believed to be a safer method of receipt than SMS codes, which are far more vulnerable to hacking.
Where Should you Use 2-Step and 2-Factor Authentication?
If an account offers 2-Step/2-Factor Authentication, you should use it. However, given that most of us have dozens, if not hundreds of online accounts these days, you’ll probably want to prioritize. I’d recommend prioritizing the following types of accounts, roughly in this order:
- Password managers (self-explanatory why this is at the top of the list)
- Your primary email account (if hackers have access to your email, they have access to a lot of personal information already and can much more easily hack in to other accounts)
- Your investment accounts (e.g. standard, IRA, 401K, HSA, 529, 457B, crypto wallets, etc.)
- Cash transfer apps (e.g. PayPal, Venmo, Cash App, etc.)
- Your bank/credit union accounts
- Your online tax software accounts
- Your secondary email accounts
- File sharing/cloud storage services
- Apple/Google/Amazon accounts
- Identity theft/credit service accounts (e.g. Credit Karma, credit agencies, LifeLock, etc.)
- Credit card accounts
- Social media accounts
- Health care/medical accounts
- Any other account you wouldn’t want someone else gaining access to
Make a list of all of your accounts and check them off one-by-one once you have enabled the security feature. I incorrectly assumed I had already done this on all of my accounts, but I found a handful where 2-Factor/2-Step was not previously enabled. After completing this audit, whenever you create a new account, add 2-Factor/2-Step automatically.
How to Set up 2-Factor Authentication in your Financial and Other Sensitive Accounts
Every account is a little bit different in how you can set up 2-Factor Authentication. Some do this automatically when you create the account. Others, you will have to manually enable the feature.
Typically you will need to find the “account settings” section of the account and choose “security” in order to get there. Just poke around a little and you’ll find the option, which as noted earlier, could be labeled as “2-Step Verification”, “2-Step Authentication”, “2-Factor Authentication”, or with other similar terminology.
I went through my entire list in about half an hour, give or take. The time investment will be a fraction of the time lost should someone actually break into one of your accounts and you’ll be able to sleep easier at night – so do yourself the favor.