More About Two-Factor Authentication…

Recently, there’s been much ado about whether or not SMS text messaging, the most commonly used method of two-factor authentication (2FA), is really secure. To wit:

All of those stories are educational, but let me save you a couple hours’ reading with some quick points:

Make Good Passwords; Change Them Sometimes

I tend to think of passwords much like this brilliant xkcd strip: they’re easier than most people think.

The trick is to find something that’s complicated enough to meet password security requirements, but not hard for you to remember. I can’t tell you what will work for you, but that xkcd strip pretty much nails my best suggestion: create a story with the password, and it will be easier to remember. Some ideas:

  • Have a daughter who loves tea parties? 2ForTeaEverySunday
  • Never miss your morning run? NikeSezJustDoIt@6:45
  • Drive a Mustang you restored yourself? BuiltMyOwn1966Stang!

Don’t forget to include:

  • upper-case letters
  • lower-case letters
  • numbers
  • symbols

As for password changes, sometimes required by sites, apps, or systems on a regular basis, I recommend changing your passwords occasionally. I doubt a password change will prevent hacking that could’ve happened before the password change; changing your password is a good way to stop a hacking in progress, though, especially if it’s something under-the-radar that you don’t notice right away.

ANY 2FA is Better Than No 2FA

When 2FA is available, you should definitely use it. ANY 2FA, even if it’s via a less-secure method like email or SMS, is better than no 2FA. Most email and social media sites have some sort of 2FA option, and many banking sites and apps require it. It may seem cumbersome to answer additional questions to log in, or wait for an email or text message with a verification code, but the extra step goes a long way to keeping your information safe from someone who could use it for nefarious purposes.

Wonder where you should set up 2FA? Check out this amazing list of services and guidance (including a mechanism to push more services to embrace 2FA). Take security seriously? Enable 2FA on every service you can, and take the time to set it up properly.

2FA Apps Are Better Than SMS

Currently, the most secure options are 2FA apps; these are most often associated with your cell phone, but you can also use many with a tablet – and sometimes even a desktop computer.

Here’s a great breakdown of good 2FA apps from PC Magazine, and it also makes the critical point about using 2FA, and why it’s worth it to try out apps, use text messages, or otherwise put yourself out to set up additional layers of security:

Remember as you panic over how hard this all sounds: being secure isn’t easy. That’s exactly what the bad guys count on: that you’ll be lax in protecting yourself. Implementing 2FA on your accounts will mean it takes a little longer to log in each time, but it’s worth it in the long run to avoid some serious theft, be it of your identity, data, or money.

My personal favorite 2FA app is Clef, which I use for security on all of my WordPress-based websites. I love the crap out of it, and I wish it was integrated with more sites – you can see the list of sites where Clef works here, and decide for yourself if you want to give it a try.

I also use and recommend Authy, which I like because it syncs across devices and has a built-in cloud backup.

Still not sure how 2FA works for you?

Firelight can help you and your company set up 2FA across all of your devices to keep your critical data more secure. Give us a call to discuss your organization’s unique needs, and make a plan that will meet them all!


Tari Follett

Tari Follett is a spaceship enthusiast and blue-haired musician hailing from Muskegon, MI. In addition to feminist blogs and tiny house floorplans, she enjoys (almost) daily meditation and trying to make the internet a better place. She works as a Partner & Consultant for Firelight.


Trai Follett