The security of personal data is periodically highlighted by data breaches comprising sensitive information.
Certain data breaches compromise account login details, and may even reveal passwords in plain-text format.
While you should always use different passwords for each platform, there are further measures you can take to secure an online account.
One of the most effective ways of improving account security is to enable two-factor authentication (2FA).
Two-factor authentication requires you to confirm your login request using a different device or application, adding an extra level of security over your password and user name combination.
2FA can be implemented easily, but there are important factors to keep in mind when securing your account this way.
The most common methods for 2FA are SMS or app-based authentication.
In the first case, an SMS is sent to the user when they attempt to log in to a service. This SMS contains a verification code which must be inputted into the login interface to proceed.
This option improves security, but can be vulnerable to SIM-swap fraud. It also relies on your cellphone having a mobile network connection.
App-based authentication relies on applications installed on your smartphone, such as Google Authenticator or Authy.
After enabling 2FA, you will be given a one-time key and QR code from the platform which must be scanned into your authentication app.
Your app will then constantly provide 2FA codes when it is accessed, allowing you to log in quickly.
Both of these methods, however, depend on your smartphone being secure.
To ensure this, enable a form of biometric, password, or other access lock to restrict access to your device and authentication app.
Other less-popular methods for two-factor authentication include a physical USB key which is compliant with the U2F standard from the FIDO alliance.
Push notifications can also be effective for two-factor authentication, along with phone callbacks and security tokens.
Back up your keys
If you are using an app-based authentication method, it is critical that you back up the security key.
When you activate app-based 2FA, you are typically presented with a QR Code that can be scanned into your authentication app using your smartphone’s camera.
However, you are also shown a private key which can be typed into your authentication app to activate the security layer.
These both accomplish the same thing, but it is important that you write down or save the provided key and store it somewhere safe.
This way, if you lose your phone or it is destroyed, you can import your backed-up key into the authenticator app on a new device.
If you switch to a new smartphone and have not written down this key, you will have to request that two-factor authentication be disabled and then reset it using the associated platform.
This can be frustrating, as I found out recently after misplacing my 2FA key for my Luno account.
I had switched smartphones since last accessing my Luno account and wanted to check my Ethereum account balance – only to find I had 2FA enabled.
I had deleted the key and application from my previous device after switching phones, and was unable to locate it within my offline backups.
Luno’s system is accommodating in this situation, requiring users to submit their ID number, mobile number, email address, and account password in their login portal to verify their identity.
I then received an SMS with an authentication code to further verify my identity and Luno sent me an email warning me that 2FA was being disabled on my account.
As an extra security measure, Luno stated that the authentication protection would only be disabled in 48 hours, allowing me time to react and lock my account if a hacker was attempting to access it.
This is a great security measure, and a necessary one in this scenario, but resulted in me essentially being locked out of my Luno account for two days.
The experience would have been made easier, and quicker, if I had backed up my original 2FA key.
Thanks to Saor for punting the importance of 2FA backups.