We’ve said it before, we’ll say it again – 2FA is one of the biggest steps you can take to keep your account secure. 2FAs serve as heavy reinforcement for bad passwords, and protect you from brute-force, password stuffing attacks that might otherwise work. However, 2FA has a host of it’s own rules, so here are some dos and don’ts!
For Security Questions
Don’t: Make the Answer to 2FA Questions Something Too Obvious (Or Give Those Answers Out)
Social Engineering played a part in a major EA hack a few years or so ago. If you can imagine a coworker wanting to get into your stuff, and you don’t want them to, pick something that’s not common knowledge about you. “Favorite Musician” is a really easy question when you’ve got BTS memorabilia scattered around your desk!
Knowing this, you should also try and avoid mind-gaming yourself! A joke answer, or an answer that is technically correct but not the first one you would have picked if you’d never seen the question before, will make your answer more obscure, but it might also lock you out if you don’t remember what you wrote. Same goes for things that can change over time. On that note,
Don’t: Make the Answer Something Too Obscure for you to Remember
If you had to go back and look it up so you’d know what the answer was, chances are you’ll have to do that again when you’re asked to verify! Mother’s maiden name, your third grade teacher, what year model your first car was – if it’s too tough to remember after a few seconds, it’s probably not a good answer, even if nobody else would know it either.
Additionally, picking questions with multiple “trick” answers can also trip you up! For example – do you consider your first pet your family’s dog, or the pet you adopted as a teen, the first pet that was really ‘your’ pet? When considering what address you grew up at, is it the one you and your family moved away from when you were six, or the address you actually remember at seven? If you can think of multiple answers, it might not be a good question.
Do: Check Your Formatting
Some sites don’t care about case, others treat 2FA as a second password where everything must be precisely as you typed it the first time. Either way, it’s good to know some things about your habits: do you always capitalize the name of your pet, or if it’s something like ‘spot’, did you not do that this time? Do you include the dot when typing out your 3rd grade teacher’s name? Do you care about apostrophes? All of these are things that can trip you up when asked to verify with a typed answer to a question.
For Texts and Emails
Don’t: Click ‘Remember Me’ Unless it’s Your Device
Don’t click ‘Remember Me’ on your school or library’s computer – ‘Remember Me’ usually means either the computer will keep you logged in, or it will forgo the 2FA because you trust that device, via cookies. Most public computers soft-reset every time they’re logged out to prevent things like keyloggers and other nasty spyware from being left behind, but they can only do that if you remember to log out. If you don’t log out, and the computer isn’t set to restart after a period of inactivity (or someone gets to it before it does) it can mean your accounts are under threat, even if you closed out the browser window and logged off of your account. Similarly, this assumes the public computer is configured correctly to do that in the first place.
Do: Set it to Something You Can Access on Your Phone or On The Go
It might be a good idea to download Outlook if your backup email is Outlook. Most folks have their phone on them all the time, and if you end up at the bank or in front of a doctor without access to your account because 2FA sends to your computer, you’re going to be tempted to remove 2FA for next time. Don’t! Instead, make sure you can access whatever number or email it’s going to send that message to.
You should also try to update 2FA as you migrate across accounts – if you have something set to send to your old, abandoned email address or phone number, you may lose access to that account.
Do: Enable it Where You Can
2FA prevents the vast majority of password-stuffing attacks. If you need help, password managers like LastPass are an excellent choice – although you’ll have to add your security answers in the notes section, if you’re signed up with security questions instead of texts or emails.