Sure, Google recommends it for your Gmail account, and maybe Snapchat or Facebook suggested doing it at some point. But why? What does 2 Factor Authentication actually do?

Two Factor: The Gold Standard

Two Factor Authentication (or 2FA) has been treated as the gold standard for a while now, but it didn’t always mean a code from a text or an email. Before smartphones (and therefore a portable email inbox) were widely available, the second factor in 2FA was security questions. But websites ask for that too. So what part of it is supposed to make whatever account is under 2FA more secure?

Two Factor authentication uses things that you know and something you have. In today’s world, you have a phone that can be sent a code, and you know your password to the account.

Before that was widely available, banks and other such institutions might have used you having a valid ID or debit card with you knowing your social security number, your account number, or maybe even a security question you’d set up with them previously. This all makes it less likely that the unscrupulous grocery store manager that took your check uses it for nefarious purposes. He might have the account number for the check, but he doesn’t have an ID or the answer to the security question, so he doesn’t get access to your account. Even better, he’d have a really, really hard time getting either of those things without drawing suspicion. Great!

Surely, 2FA has SOME Weakness?

2FA is an excellent second layer of security for systems that may otherwise be pretty easy to brute-force into. It can also act as a sort of warning system; if some website with 2FA enabled sends you a code, you know it’s time to change your password without your account actually getting breached. Not today!

Knowing all of this, you should also know that 2FA isn’t infallible. Welcome to the world of social engineering. Social engineering is a form of hack that manipulates people, instead of computers, to get information. Craigslist (a platform where people can buy and sell used items online) had to put out a notice telling people that they shouldn’t give any code they receive over text to a stranger. Why?

The Tale of Craigslist Scammers

Some clever scammers had figured out that Craigslist will allow people to reset their passwords with only a code via text, which would normally be fine, since only you have your phone. Normally. What the scammers were doing involved acting interested in a product only to ‘suddenly’ get cold feet when price or location is being hammered out. That’s where the social engineering comes in. The scammer tells the seller something like: “Well, I’m worried you’re a scammer. I’m going to send a code to the number on the ad, and if you get it, tell it to me so I know you’re legit.” Then the scammer clicks the button to reset the seller’s password, the seller gets the code and then tells it to the scammer – and boom, account’s hacked.

Remember, it’s easier to type in a code every time you log in than it is to try and recover your YouTube channel from a hacker that got your password, and never tell anyone that code! Never tell anyone the answer to your security questions, either, since that’s also 2FA.

Stay safe!