How two-factor authentication can bolster online security
Q: I have two-factor authentication on all my financial-related websites. They require that I type in a code sent to my cellphone if I am not using my regular computer. I read an article that said that two-factor authentication is not safe and I should use a password manager instead. What is your opinion?
A: Two-factor authentication and password managers are not mutually exclusive.
Password managers can be very useful in helping to ensure you have a unique password for each account you own. If you have a password that becomes compromised, hackers will use that password and attempt to log into any service they can to see if that password will allow them to access those accounts.
To give you an idea how this works, I had a password that I used for an account with Adobe that I also used for a few other sites.
A number of years ago, Adobe was hacked and their users’ passwords were stolen.
I received a notification that this had happened and I updated my Adobe password. But I never got around to updating other sites that used that same password.
Fast-forward eight years and I started getting notification from various services that indicated that there was suspicious activity on some old accounts I hadn’t even thought about for years.
Turns out that hackers were using that stolen Adobe database all these years later and methodically attempting to sign into anything they could think of using those credentials.
Fortunately, the sites were relatively unimportant and there was no real compromise of anything that mattered. But it goes to show that the hackers will go to great lengths to run their scams.
This may cause you to believe that just having a unique password for every site is the answer. But keep in mind that password databases get compromised all the time. Maybe the password they steal is only for one account, but if that account contains confidential data about yourself then it is at risk.
With two-factor authentication, even if they have the password, they are not going to get signed in to your account.
As to 2FA being unsafe, there are cases of something called SimJacking where someone can clone a phone to receive the 2FA text and access the account. But these are exceedingly rare and would require the hackers to know your account, know your password and know your phone.
If you would like to see if any of your accounts have been exposed in a security breach, go to haveibeenpwned.com and put in your email address. The site will show you a list of services that have been compromised that have your account information.