Multi-factor authentication (in practice we most often use two-factor authentication, aka 2fa) is the use of multiple concurrent steps to access an account. The most common example is using your debit card and a PIN to access and withdraw money from a bank account. The card and the PIN are both required. Another not so common example are computers that require a user enter a physical security key (such as a card or USB device) as well as their password to gain access.
Many, but not all, sites/services support some form of multi-factor authentication. This generally requires a device, such as a cellphone, which can generate or receive an additional code to be used in addition to the password to gain full access. Some sites/services will text you (via SMS) a code, others will require some sort of authenticator app. Sites/services which do this often also allow you to generate a list of temporary codes or passwords that can be used a single time so that you do not have to have a device physically with you, though once used up another list of codes will have to made (and you will have to have these stored in some way they can be recalled).
The advantages and disadvantages of using multi-factor authentication is obvious: if a password is compromised then there is a fallback method also required to access an account which gives us greater protection. On the other hand, this often requires us to keep track of our device every time we want to log into various sites/services and it requires us to keep said device charged and potentially connected to the internet (some token generation methods do not require such methods). Further issues will be discussed, below.
Generally, it is recommended that you do use multi-factor authentication to protect your accounts. The Electronic Frontier Foundation writes, in "The 12 days of 2fa,"
Enabling two-factor authentication—or 2FA for short—is among the easiest, most powerful steps you can take to protect your online accounts.
This page will introduce the most common methods and apps and will discuss some of the pitfalls and ask if it is right for you.
One of the most common, and generally easiest to set up, methods of two-factor authentication is to receive SMS (text) messages when you try to log into your accounts. You will be texted a code, often 6-8 numerical digits, that must be entered into the browser (etc) to complete a login process. Many sites support this, including GMail (note, UAH does not have this enabled for their Google Apps service), Amazon, Facebook, and others.
You can sites that support this by going to TwoFactorAuth.org and searching for "tfa:sms". Said website also gives you links to help files about how to set it up. Though a lot of websites support this ability, there are several ways they refer to it.
The advantage to this method is that you can often integrate this into your routine with a minimal fuss and your phone already supports this protocol at factory defaults. No additional app is required. A secondary benefit is the fact that you will receive a text if someone else is trying to access your account, which can be a near immediate alert that your password has been compromised.
It does require you to have a device that is connected and able to receive SMS texts, though. There are times where this is inconvenient. Usually backup codes are available but must be generated before hand.
Note: dedicated hackers can engage in methods such as SIM-swapping to receive your texts. Other methods can be used to intercept or read your texts. Also, if you lose your phone and do not good security on it, then whoever has it can access your account (since most of us store passwords on our phone) and immediately receive the text to verify. If you do use this method, you have to balance the convenience with other security measures.
A more secure, but somewhat more convoluted, method to SMS 2fa is using a two-factor authentication app. Popular apps for this include
To see a list of sites (and see helpful documentation about setting up 2fa on said sites), again look at TwoFactorAuth.org and search for "tfa:totp" (meaning time-based one-time-use password).
The general steps are to set up the app of your choice (most apps support most websites, though there are likely exceptions) and then go through the steps on a given website to add it to your list. You might scan a barcode or enter a token-string to verify the app and the website. Once you do this, you then enter the code in the website and at that point you should be good to go. Some sites/services will vary in this, though, so it is recommended that you follow the steps for a given website/app.
Then, when you access the website, you will pull up the app on your phone/device and click on the site you are trying to enter and be given a [often six-digit] code that you can type into the website. This code expires within a given time. Some apps/sites allow for a push notification which will show up and then you can click on it to verify your access without having to enter the code.
While this requires a greater amount of time commitment to start (installing the app, syncing it with the site), it often takes about the same time to use as SMS after the first use.
These tend to be more secure than SMS methods because they are harder to intercept. You also can set master passwords for these apps that allow you to port them over to different devices if you lose your main device.
A slight disadvantage is that you are not given a built-in alert when someone tries to access your account (unless it is one that supports push notifications). Another disadvantage, perhaps minor, is that if someone gets your device they have a way to see all of your accounts set up in this way. This does not mean they can see your username or password, though, just they are aware of what accounts you have (the same could be said with SMS, but you could delete those after using them).
It shares the same issues with SMS in that if your device is not secured and is lost/compromised, the person controlling the device could access the codes [at least until you disable that device].
Is two-factor authentication right for you? The short answer is Yes, Probably.
However, there are some factors (no pun intended) to consider:
In general, the only times that two-factor authentication might be wrong for you is if you do not bring your phone/device with you regularly for whatever reason or if you are the kind of person that bypasses such security on such a regular basis that it barely protects your accounts. For most of us, it is worth the extra hassle.
Despite all the benefits of two-factor authentication, there are some downsides. Perhaps the most obvious is that you have to add extra steps to logging into websites and services that you use. Generally, the sites/services you use the most (and therefore are the most important) are the ones that it will now take longer and use more effort to access. It is easy to get frustrated by such steps. The extra security is a good habit to cultivate, and now is a good time to try working on getting into pattern of using it, but it still can lead to more headaches and longer waits.
Equally obvious is the stress this places on keeping track of your phone/device used to generate the codes and one-time-use passwords. Without it, and sometimes without it connected to the network, you might find your own accounts inaccessible. What if you do not have unlimited texting and have run out of available texts? While this is less of a problem than it was just a few years ago, it still is a problem. Furthermore, this creates a central breakpoint in security. Losing control of your device - or losing control of your SMS - can compromise you. Note, you still have passwords and other methods (hence this is multi-factor, not a replacement), but this can somewhat limit the usefulness if you are the target of a dedicated attack.
Another issue is that it can lead to a false sense of security (pun intended this time). You might find yourself using weaker passwords, or letting passwords go stale, if you think that 2fa will overcome your issues on its own.
There is no guarantee that sites/services using 2fa will continue to do so in the future, or they might radically change how they use it, which can lead to confusion and uneven security. Some implementations of some sites, such as certain Google Apps iterations, already use it differently (or not all) compared to others.
Finally, while it does increase security and should be generally used, 2fa is a known factor to hackers and attacks on given protocols can lead to breaches that have little to do with your personal security habits.
A good rundown on issues facing 2fa from 2017 (with some things changed since then, mind) is Russell Brandom's "Two-Factor Authentication Is a Mess". It is a useful tool, a good additional step, but is part of a security ecosystem and is not a one-stop-guarantee.