This is the second in a series of posts about keeping yourself safe online, which is something that, alas, is something we all need to do in 2024. Please read my previous post first – I wrote about two-factor authentication (2FA), what it is, and on which types of accounts we advise you to set it up.
There are several different methods of receiving the “second factor,” the additional code you enter after your password to get into an app or website. Some sites might require one method, some might require another, some might give you a choice.
Some of the most common 2FA methods, from most secure to least:
- Code generated by an authentication app (e.g. Google Authenticator, Microsoft Authenticator)
- App where you click “Approve” (e.g. Gmail app, Google app, YouTube app, Duo Mobile app)
- Emergency backup codes
- SMS (text message), or sometimes voice call as an alternative
Some sites also allow you to use an actual specialized physical device, often called a hardware token or a security key, but we’re not gonna cover that here. If you lose that device, you can be screwed.
SMS (text message) is straightforward, and on many sites, especially financial institutions, it’s the only option. You get a text message with a code to enter, or a text message with a link that takes you to a website where you can click Approve. SMS, however, carries with it two risks.
One risk is that if you lose access to your phone, you can’t get a code.
The other risk is number transfer theft — someone impersonating you can persuade an employee at your mobile carrier to transfer your number to “your new phone” — and now they can get all of your SMS codes. This really can and does happen! And, once they have that, the pros can then lock you out of all your accounts in a matter of minutes.
Therefore, it’s vital that you enable number transfer lock at your mobile carrier, especially since you may not have an option for 2FA besides SMS. Call your carrier and tell them you want to “enable a number transfer lock,” or “put a lock code on my number so nobody can transfer it.” (Or call us.)
Also, you can get locked out of your Google account if SMS is your only 2FA method. So, for Google accounts in particular, it’s important to also (or instead) set up authentication app 2FA, which we’ll cover next time. (Google will always make you set up SMS for 2FA by default, however.)
So, if not SMS, then what? Authenticator app codes. That’s what’s up next.
Photo by David Švihovec on Unsplash