Keeping your online accounts safe is hard when you’re not a security expert. Even when you use hard-to-guess passwords, never write them down, and use a unique password for each different service; attackers can sometimes still be able to intercept or crack your password. And the scary thing is that you will never know until it is too late.
While the big tech companies are finding out ways to keep your accounts more secure, the most secure and most common solution is to protect your accounts with two-factor authentication.
So what is two-factor authentication?
Two-factor authentication or verification, sometimes also known as multi-factor authentication, TFA or 2FA, adds an extra layer of security on top of simple ‘single-factor’ authentication.
Single-factor relies on either something you know (like your password) or something you have (like a key to your house). If someone pickpockets the key to your house, they can get simply walk in. If someone cracks your password, they can get into your online accounts, simply through the ‘front door’.
Two-factor requires both: something you know, and something you have. It’s like adding a numeric keypad to your front door, next to the regular lock. Stealing the front door key is no longer enough. Knowing the passcode is no longer enough. A burglar needs both to get into your front door.
How does 2FA work in a digital world?
We cannot add a physical key to unlock your Facebook, but we can still require something you have: your phone. When requesting both your password and a code that can only be generated by your phone, a service can make sure that the person trying to log in is really you. The multi-factor approach ensures that a hacker who has your password cannot log in, because they don’t have your phone; while a pickpocket who steals your phone cannot log in, because they don’t know your password. Clever!
Those generated codes you need to enter are short and simple, usually 6 digits, so it is quick and easy to type in. At the same time they are unique, unpredictable, and can only be used once, so they are secure as well. They change every 30 seconds to make sure that if anyone intercepts one, they have only gotten hold of a useless code within seconds.
And the best thing is that you won’t have to memorize them. You don’t need to know them, you only need to have an app that generates them for you.
Other ways to do 2FA
There are many services that don’t use a 2FA app as the second factor. Common ways include sending text messages by SMS, like Twitter does, or by email. The principal remains the same: a text message sent to your phone validates that you have your phone (or actually: access to your simcard) or that you have access to your email inbox.
There are pros and cons to those methods. For example, you don’t need to install an app to receive text messages. On the other hand, you do need cell coverage, and on top of that: using SMS for two-step verification is not secure. SMS messages are not encrypted, and hackers have been able to intercept and read messages.
How do 2FA apps work?
2FA apps like Pix Authenticator for Android work in a straightforward manner: you set it up once, using a secret only known by the service you signed up for. Your app uses the secret to generate codes that change every 30 seconds. When you log in, the service will ask you for the code. Only the person who has the secret is able to generate the right code, so when you enter it, the service can verify that you are indeed, you. Because the app creates a different code every 30 seconds, the algorithm uses both the secret and the current time of its internal clock. This does mean both the service and your app need to know the exact time. If you are more than 30 seconds apart, the app and the service will be creating different codes, and logging in will fail! Luckily this is hardly ever a problem, because your phone continuously corrects its clock with the internet, so it is always on time.
Also: secretly most services account for 30 seconds of error margin on both ends. So, if your internet is slow, or you hit ‘login’ right after the app generates a fresh code, your old code will still be accepted. So you don’t have to rush typing the digits.
How do I log in with 2FA?
When logging in to a website, you enter your email or username and password combination. When 2FA is enabled, it will ask for the 6-digit code, usually in a follow-up step.
This is when you whip out your phone, open your Authenticator app, and look for the account that you’re logging in to. There will be a large 6-digit number displayed, and a little 30-second countdown timer. Read the code and type it into the website before the timer runs out (like we said earlier: don’t stress, there’s some leeway), and you’re done.
Read our post on using 2FA for more details, and for a step-by-step guide on how to do this with our app Pixplicity Authenticator.
How do I set up 2FA?
Websites that support it will usually guide you through the setup process. You just have to find the right page to start. This is usually in the account settings. We have more detailed instructions here.
What if my login code doesn’t work?
If the website doesn’t accept the code your app is generating, don’t panic! 9 out of 10 times your device’s clock is off. Setting your phone to the correct time makes sure your app can create the codes for the right 30-second window.
Please read our post on troubleshooting or how to stop using 2FA for more information.
Which services support 2FA?
It’s a long list and more are added every day. Since the technology behind the 2FA codes is an open standard, you are not dependent on Pix’s technology. The following are just a few well known platforms that we know are compatible:
- Google, Microsoft, Yahoo
- Facebook, Snapchat
- Slack
- Amazon
- Dropbox
- GitHub, BitBucket
- Discord, UPlay
- Lastpass and a lot of other password managers
- Most, if not all, Cryptocurrency trading platforms
Download the app
The Pix Authenticator is available for iOS and Android.
