Securing Your Online Accounts with 2FA

As the holidays came and went I was asked one question by family and friends more than any other.

How do I keep my accounts secure?


If you work in InfoSec you know this isn’t an easy question to answer but there are a few things everyone can do to secure their online accounts. Nothing is perfect but, if I could get you to do one thing, it would be to setup two factor authentication (2FA) for all of your accounts.
Depending on the situation, I won’t even do business with companies who don’t have a 2FA offering.

What is 2FA?

Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).


Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of twodifferent factors: 1) something they know, 2) something they have, or 3) something they are.

https://en.wikipedia.org/wiki/Multi-factor_authentication

What is Two-Factor Authentication? (2FA) by Duo Security – https://www.youtube.com/watch?v=0mvCeNsTa1g

With that said, here are a few ways to secure your online accounts:

  • Use strong passwords
    • A different password per site
    • 25+ random characters
    • Use a password manager (KeePass, LastPass, etc.)
  • Randomize security questions and answers
    • Randomly generate the question/answer and save them in your password manager in the notes field or another field.
    • A different question/answer per site
  • Enable two factor authentication (2FA)
    • When using 2FA the most common two factors are, something you know (password), and something you have (Phone, Yubikey, etc.)
    • Use Duo, Google or other application authenticators instead of SMS, if possible.
    • Use a physical device if possible (Yubikey, Titan Security Key, etc.)
    • Some 2FA is better than no 2FA.

Password Managers

Authenticators

Enabling 2FA

Others

Sources

A list of websites and whether or not they support 2FA – https://twofactorauth.org

Leave a Reply