Getting started with enabling "2FA" or Second-Factor authentication.

What is 2FA?

When talking about authenticating a user there are 3 factors that can authenticate or verify a user's identity:

something they know (like a password, or security question, even a username)

something they are (like a fingerprint or retinal scan or facial recognition, even location: you are here)

something they have (like a phone or smart card or door key)

2FA is when any two factors are used to authenticate the user.

How to enable 2FA?

The steps are different depending on the solution but these days many 2FA setups are as simple as downloading an app and enrolling on the site. 

For example: Google Authenticator usually takes less than 10 minutes

The Google Authenticator uses a 6-digit code along with your normal login credentials to verify you know your password and you have your phone. This is done by generating your 6-digit code on your phone. The code, which changes every few seconds, is determined by a time element and a secret. The secret is provided to you by the server, usually in the form of a QR code. [image]

To set this up you need only download and install the Google Authenticator App on your phone (Experts: use a dedicated phone for this, and never share the number else where), then use the authenticator to take a picture of the QR code on the screen. You can add multiple accounts to the app.

To use the code start to login as normal then when prompted, just open the app and enter the code for that account. (Tip: you can label the codes by editing them in the app after setup)

The process is similar for most sites that use the Google Authenticator:

Sync with a QR code:

For google/gmail/youtube/google sites start here

Caveat: this is just one example, there are many 2FA solutions.

Many more sites

Many more sites are adopting 2FA checkout https://twofactorauth.org which can help with enrolling in the numerous 2FA enabled sites out there.

(Caveat: Use caution with SMS 2FA while usually better than single factor Authentication can be compromised by someone knowing just your name and the receiving number. While this is outside the scope of this blog the basic threat model is social engineering the phone carrier for a duplicate SIM using your name and number)

Caveat: The methods of recovering lost 2nd factors is not covered here