2FA: What You Need to Know & Why You Need to Use It

If you still rely on passwords to keep your online data safe, you are putting it at risk. Over 82% of all hacking-related breaches in 2024 were due to stolen or weak passwords. That's a bit like leaving your car unlocked in a public parking lot and then being surprised when someone makes off with your laptop that was in the back seat.

According to a study by Consumershield.com, the average cost of a business data breach in the U.S. in 2024 was a whopping $9.36 million. Almost 90% of web application breaches were caused by stolen or hacked passwords alone. Nearly 91% of people understand that reusing passwords is a security risk, yet 84% reuse passwords, making them vulnerable to attacks.

In 2024, individuals, not businesses, lost more than $12.5 billion to online fraud at an average of nearly $20,000 per event. Most of these losses were due to investment scams and phishing.

Why It Matters

In 2024 alone, over 1.7 billion individuals had their personal data compromised due to data breaches, which is a 312% increase over 2023. Many of these happened when customers were tricked into revealing sensitive information such as passwords, credit card details, and login credentials.

Now, however, there are new weapons you can use to protect your information: two-factor authentication methods, or 2FA for short.

But not all 2FA methods are equal. Some work far better than others. So what is the best way to protect your data? Here are your 2FA options.

2FA Simplified

2FA is another security layer that protects data by combining Something You Know (like a username and password) with Something You Have (like a fingerprint, email, text, or even your face).

Think of it as being able to get into an office building because you have both an ID and a key card. One without the other won't work. So, no one else can get to your information with 2FA, only you.

2FA is not offered on all websites and apps, but is offered by most major online accounts such as Facebook, Instagram, Outlook, and most financial institutions. You'll need to set up your device to enable 2FA.

Please note that the steps are different for each type of device. For example, here is the method for a Samsung phone:

1. Go to settings

2. Click on your Samsung Account

3. Click on My Profile

4. Click on Security and Privacy

5. Click on Two-step verification and/or passkey (depending on what you want to use - you can use both)

6. Follow the instructions.

And here are the instructions for Facebook:

1. On Mobile: Open the Facebook app, tap the three horizontal lines in the upper right corner, then go to Settings & Privacy > Settings > Password and Security > Use two-factor authentication.

2. On Computer: Click your profile picture in the top-right corner, then go to Settings & Privacy > Security and Login > Use two-factor authentication.

3. Select a Security Method: Choose your preferred method for receiving codes, such as an authentication app or SMS.

4. Follow the Prompts: Complete the setup by following the on-screen instructions to finalize enabling 2FA.

   
   

   For instructions on other apps and devices, Google how to set up 2FA, and you'll see what to do.

Types of 2FA

There are several types of 2FA. Some are better than others. Learn more about these options below and pick the one you think will be easiest for you to use.

Hardware Keys

One of the safest 2FA methods is a device called a hardware key. It's a small "key" that you plug into your device, and when prompted, you simply tap it to get logged in. These cost anywhere between $25 and $50 and make you immune to phishing attacks. They are so good that even if you click on a fake account, your key won't unlock it.

Other advantages are that you don't have to wait for text messages or emails with codes that may never come, and it works offline or if you don't have cell service or Wi-Fi (think logging into your phone or laptop).

Google has been using hardware keys with its employees and has reported zero successful phishing attempts ever since. That's unheard of in a corporation of 85,000 employees.

The one disadvantage to a hardware key is that you have to carry it with you, and if lost, replacement is not easy. Still, you get the best security available today.

Biometric 2FA

You may already use your fingerprint or face to log into your phone, and now you can set it up for logging into online accounts and even social media. Biometrics are convenient, fast and built into most modern devices. However, they are not foolproof, as some hackers have been able to use high-resolution photos to bypass facial recognition. Plus, if you ever want to get a facelift, you may be unable to access your devices afterward.

Authenticator Apps

Authenticator apps are the workhorses of 2FA. You don't need to carry around an extra gadget, and you can get that facelift you've been contemplating without issue. Plus, you don't have to fumble when taking off your gloves on cold days to use a fingerprint.

Authenticator apps include Google Authenticator, Microsoft Authenticator, Apple Authenticator....you get the drift. They generate a 6-digit code that refreshes every 30 seconds, which you enter when prompted. There's no more waiting for a text or email code to get into a site.

One thing you have to prepare for, however, is that if you lose your phone, you won't have access to the app and the codes unless you enable backup and recovery options. So if you already use an authenticator app, make sure you do this now.

Email Codes and SMS

This 2FA system is going the way of the Dodo. It sounds secure, but it is one of the most vulnerable. Once you log into a site, it will send you a code by either method, which you need to enter in order to gain access. The problem is that hackers can hijack your phone by using a method called SIM-swapping, or intercept texts with fake cell towers. They can also hack your email, access your inbox, and intercept the code that way. This all happens while you aren't even aware it's going on.

Passkeys Will Soon Be The Norm

To many security experts, passwords are out and passkeys are in. They are the future of account security and even more secure than any of the 2FAs mentioned above.

Passkeys are account-specific cryptography keys (something your system uses) that unlock your accounts without usernames or passwords. They are much more secure than login credentials and mean you won't even have to try to remember your username or password after the passkey is set up. They are so secure that companies like Microsoft are deleting passwords from their authenticator apps and using only passkeys.

Passkeys have a huge advantage over other 2FA methods because they cannot be guessed or shared. They are nearly immune to phishing attempts and can't be stolen in a data breach.

How Passkeys Work

There are two types of keys used in every "passkey." One is a private key that is stored on your device (usually your cell phone - something you'll carry with you most often), and a public passkey that apps or websites store in their systems. For brevity, we'll use "phone" to explain how this works, though a tablet can do the same.

Once you log into a website, your phone has already authenticated your identity and your possession of it through your fingerprint, your face, or the simple fact that you've unlocked it. The website you visit will automatically combine the two keys to grant access to your account after a prompt is given.

If you are using a computer or another device, you can use the passkey to log in as long as you have your phone with you. The website will ask you to scan a QR code with your phone, and the same public and private passkey combination will be used to let you in.

Because of the cryptography used, the website or app server never learns your passkey, so it can never be revealed in a data breach. If you lose the device containing your passkey, you can easily create a new one on your new device.

One thing you need to do with passkeys is make sure you have your phone set to log you out when you are not using it - rather quickly. You don't want to put your phone down for a few minutes as you get coffee and have it still logged in. Then anyone who can grab it could log into any account and wreak havoc!

Apple, Microsoft, and Google have enabled passkeys and will gradually compel users and websites to use them instead of passwords. The good news? This is one of the first security methods that requires you to do less to be more secure.

Whether you are comfortable with passkeys or want to receive a texted code, setting up 2FA is far better than relying on passwords alone, and could save you lots of headaches and money.

Need More Convincing to Use 2FA or Passkeys?

Some Scary Password Facts

• The most common password is "123456"

• Nearly 20% use their pet's name in their passwords

• Only 12% use unique passwords

• 96% of the most common passwords can be cracked by hacking tools in less than one second

• 64% of passwords only contain eight to 11 characters

• Only 10% of consumers report using a password to log in to their social media accounts in the last 60 days

• 21% include their birth year in their password

• Almost 75% of those who've tried to guess someone-they-know's password have been correct

• 69% of Gen Z use a variation of a single password

• Nearly 40% admit sharing their personal passwords with others

• 89% realize using the same password is a security risk, but only 12% switch passwords between accounts

• Adding a single character to a common 10-character password can increase the time it takes for hackers to crack your password by 1.5 hours

• 13% use the exact same password for all of their accounts

• Nearly 40% haven't changed their Wi-Fi password since the day they set it up

• More than one-third admit they'd be embarrassed if they had to read their password aloud

• 12% include their partner's name in their passwords

• 61% of those hacked had passwords that were shorter than 8 characters

• 10% have used the same passwords since school years.

Sources:

Sources: Norton.com, BeyondIdentity.com, DemandSage.com, PC Mag, CISO, Ask The Techspert, The Keyword