Skip to Main Content

Passwords, Two-Factor Authentication, and Security Questions

This guide goes into more detailed looks at passwords, password managers, and two-factor authentication.

Multi-factor Authentication

Multi-factor authentication (in practice we most often use two-factor authentication, aka 2fa) is the use of multiple concurrent steps to access an account. The most common example is using your debit card and a PIN to access and withdraw money from a bank account. The card and the PIN are both required. Another not so common example are computers that require a user enter a physical security key (such as a card or USB device) as well as their password to gain access. 

Many, but not all, sites/services support some form of multi-factor authentication. This generally requires a device, such as a cellphone, which can generate or receive an additional code to be used in addition to the password to gain full access. Some sites/services will text you (via SMS) a code, others will require some sort of authenticator app. Sites/services which do this often also allow you to generate a list of temporary codes or passwords that can be used a single time so that you do not have to have a device physically with you, though once used up another list of codes will have to made (and you will have to have these stored in some way they can be recalled).

The advantages and disadvantages of using multi-factor authentication is obvious: if a password is compromised then there is a fallback method also required to access an account which gives us greater protection. On the other hand, this often requires us to keep track of our device every time we want to log into various sites/services and it requires us to keep said device charged and potentially connected to the internet (some token generation methods do not require such methods). Further issues will be discussed, below. 

Generally, it is recommended that you do use multi-factor authentication to protect your accounts. The Electronic Frontier Foundation writes, in "The 12 days of 2fa," 

Enabling two-factor authentication—or 2FA for short—is among the easiest, most powerful steps you can take to protect your online accounts.

This page will introduce the most common methods and apps and will discuss some of the pitfalls and ask if it is right for you.

SMS for Two-Factor Authentication

One of the most common, and generally easiest to set up, methods of two-factor authentication is to receive SMS (text) messages when you try to log into your accounts. You will be texted a code, often 6-8 numerical digits, that must be entered into the browser (etc) to complete a login process. Many sites support this, including GMail (note, UAH does not have this enabled for their Google Apps service), Amazon, Facebook, and others. 

You can sites that support this by going to TwoFactorAuth.org and searching for "tfa:sms". Said website also gives you links to help files about how to set it up. Though a lot of websites support this ability, there are several ways they refer to it. 

The advantage to this method is that you can often integrate this into your routine with a minimal fuss and your phone already supports this protocol at factory defaults. No additional app is required. A secondary benefit is the fact that you will receive a text if someone else is trying to access your account, which can be a near immediate alert that your password has been compromised.

It does require you to have a device that is connected and able to receive SMS texts, though. There are times where this is inconvenient. Usually backup codes are available but must be generated before hand. 

Note: dedicated hackers can engage in methods such as SIM-swapping to receive your texts. Other methods can be used to intercept or read your texts. Also, if you lose your phone and do not good security on it, then whoever has it can access your account (since most of us store passwords on our phone) and immediately receive the text to verify. If you do use this method, you have to balance the convenience with other security measures.

Two-Factor Authentication Apps

A more secure, but somewhat more convoluted, method to SMS 2fa is using a two-factor authentication app. Popular apps for this include

To see a list of sites (and see helpful documentation about setting up 2fa on said sites), again look at TwoFactorAuth.org and search for "tfa:totp" (meaning time-based one-time-use password). 

The general steps are to set up the app of your choice (most apps support most websites, though there are likely exceptions) and then go through the steps on a given website to add it to your list. You might scan a barcode or enter a token-string to verify the app and the website. Once you do this, you then enter the code in the website and at that point you should be good to go. Some sites/services will vary in this, though, so it is recommended that you follow the steps for a given website/app. 

Then, when you access the website, you will pull up the app on your phone/device and click on the site you are trying to enter and be given a [often six-digit] code that you can type into the website. This code expires within a given time. Some apps/sites allow for a push notification which will show up and then you can click on it to verify your access without having to enter the code. 

While this requires a greater amount of time commitment to start (installing the app, syncing it with the site), it often takes about the same time to use as SMS after the first use.

These tend to be more secure than SMS methods because they are harder to intercept. You also can set master passwords for these apps that allow you to port them over to different devices if you lose your main device. 

A slight disadvantage is that you are not given a built-in alert when someone tries to access your account (unless it is one that supports push notifications). Another disadvantage, perhaps minor, is that if someone gets your device they have a way to see all of your accounts set up in this way. This does not mean they can see your username or password, though, just they are aware of what accounts you have (the same could be said with SMS, but you could delete those after using them). 

It shares the same issues with SMS in that if your device is not secured and is lost/compromised, the person controlling the device could access the codes [at least until you disable that device]. 

Is Two-Factor Authentication Right for You?

Is two-factor authentication right for you? The short answer is Yes, Probably. 

However, there are some factors (no pun intended) to consider:

  • Do you normally have your phone/device on you and readily accessible? If you are someone who tends to leave your device behind, or fails to keep it charged/connected, then it might be better not to be locked out of your accounts when you have no way to generate/receive 2fa codes. 
  • Do you regularly change your passwords, keep your passwords strong, and use only secure methods [including memory] to recall them? If you are on top of your password game then the added benefit of 2fa might be minimal compared to the added time sink of accessing it. 
  • Do you keep your phone/device secure and its software up to date? If you do, then 2fa can be a benefit. However, if you keep it unlocked and regularly lying around (or you allow other people to use it) then you run some additional security risks. Note, it would actually require someone to access your device to get the codes [though see above about SIM-swapping, etc], so for most [remote] hacking, 2fa might still be a benefit rather than a drawback.
  • Do you find yourself hitting "remember this computer" to bypass 2fa every time you login to avoid having to do the process? If you "remember" every computer every time you login - meaning you tell every computer, including public ones, to not require 2fa - then you may not be getting much benefit from the process. You again get protection from remote attacks, but people sitting at any of the computers/devices you have used would have ready access.
  • Do you do major tasks such as banking or handling important [and large] amount of sensitive data/material? If so, then extra security is good. If you do a lot of your more important transactions off line, more face to face, then it might be mostly "security theater". However, lean more towards caution than against.
  • Do you have issues with accounts being compromised semi-regularly? Some people seem to have poor luck with keeping accounts secure, even if they are using good password skills and updating things regularly. If so, this step might save you some headaches.

In general, the only times that two-factor authentication might be wrong for you is if you do not bring your phone/device with you regularly for whatever reason or if you are the kind of person that bypasses such security on such a regular basis that it barely protects your accounts. For most of us, it is worth the extra hassle. 

The Downsides of 2fa

Despite all the benefits of two-factor authentication, there are some downsides. Perhaps the most obvious is that you have to add extra steps to logging into websites and services that you use. Generally, the sites/services you use the most (and therefore are the most important) are the ones that it will now take longer and use more effort to access. It is easy to get frustrated by such steps. The extra security is a good habit to cultivate, and now is a good time to try working on getting into pattern of using it, but it still can lead to more headaches and longer waits. 

Equally obvious is the stress this places on keeping track of your phone/device used to generate the codes and one-time-use passwords. Without it, and sometimes without it connected to the network, you might find your own accounts inaccessible. What if you do not have unlimited texting and have run out of available texts? While this is less of a problem than it was just a few years ago, it still is a problem. Furthermore, this creates a central breakpoint in security. Losing control of your device - or losing control of your SMS - can compromise you. Note, you still have passwords and other methods (hence this is multi-factor, not a replacement), but this can somewhat limit the usefulness if you are the target of a dedicated attack. 

Another issue is that it can lead to a false sense of security (pun intended this time). You might find yourself using weaker passwords, or letting passwords go stale, if you think that 2fa will overcome your issues on its own. 

There is no guarantee that sites/services using 2fa will continue to do so in the future, or they might radically change how they use it, which can lead to confusion and uneven security. Some implementations of some sites, such as certain Google Apps iterations, already use it differently (or not all) compared to others. 

Finally, while it does increase security and should be generally used, 2fa is a known factor to hackers and attacks on given protocols can lead to breaches that have little to do with your personal security habits. 

A good rundown on issues facing 2fa from 2017 (with some things changed since then, mind) is Russell Brandom's "Two-Factor Authentication Is a Mess". It is a useful tool, a good additional step, but is part of a security ecosystem and is not a one-stop-guarantee.