Please use two-factor authentication (2FA)

I work in technology…and I talk with too many peers who don’t bother with two-factor authentication (2FA). In a world where cyber threats continue to evolve and infiltrate our online lives, 2FA is a relatively simple measure that can make a big difference. This concept isn't new, however its significance has only grown over time.

This is my appeal to you: please start using 2FA.

Why bother and how does it work?

I found this video from over a decade ago…it still holds up for the basic why and how. I picked it for other reasons as well.**

In addition to helping protect weak passwords, what’s even more relevant today is other threats like phishing and data breaches which can render even the most secure passwords moot.

I use several methods for 2FA, personally:

Authy (for general purposes)
Microsoft Authenticator (for both Microsoft Work or School and Microsoft personal accounts)
Phone call (limited use)
RSA SecurID (where required)
SMS text message (limited use)
YubiKey (when a physical key makes sense)

I’m not suggesting that you need to get started by learning about all of these. Using any of them (even potentially vulnerable ones like SMS text messages) is better than not having a second factor.

Do I need this for my personal accounts?

It is absolutely worthwhile to enable two factor authentication for just about anything that supports it. That said, there is the potential hassle-factor to consider when you don’t have your second factor handy (I’m looking at you, RSA key for my bank).

I use the following hierarchy of priority for using 2FA (starting with most important):

Email accounts. Specifically those email accounts that are used when signing up for other services, which would likely send a password reset request to that email.
Financial accounts. Any financial account that supports 2FA, enable it. Hard stop.
Purchase-enabled accounts. These are accounts that have a bank account or credit card tied to which someone could use to make purchases. In here I include things like Azure and OpenAI accounts that can run up consumption charges.
Social media accounts. Ensure that other people don’t trash your reputation. Also, protect your friends/followers from attacks that could be perpetrated while disguised as you.
Other accounts. Plenty of other accounts are adding 2FA support of some kind. Use some judgement and weigh the risk of compromise vs potential hassle of needing to supply a second factor.

Note, if you’re not currently using 2FA for any account, consider starting with a low-stakes account as a warm up. My first experience was with my Google account.

While it went smoothly, I felt nervous when I was setting it up because it felt extra important and I wasn’t familiar with the process. Feel free to start with baby steps…

What if I lose my second-factor (or it gets deleted/destroyed)?

This is a great question! Most accounts have additional features like adding a recovery email address, providing you recovery codes, or offering additional backup 2FA channels.

A screenshot of the Instagram Backup Codes screen. Dummy codes, not mine.

Regarding recovery codes, save these and make sure you know how to access then and that you don’t need that same second factor to get to them.

Get started today

Take the first step. Use the prioritization above (or reprioritize based on your own criteria) to determine which accounts to secure. Then log in and see if they support 2FA. If they do, validate the recovery options and ensure you understand how to mitigate that challenge. Then finally, enable it!

** Other reasons I picked this video: 2) it’s from before the heavy monetization of YouTube videos, so you can just watch it 😄 3) the age of the video is a good reminder that 2FA isn’t a new concept or passing fad, 4) “throwback tech guy”…not even trying to be ironic.