Secure your Accounts with 2FA, NOT Two-Step

There’s a lot of confusion between two-factor authentication and two-step verification, but only one of them can keep your accounts safe.

Imagine that someone provides you two different options for keeping your online accounts safe. One of them significantly adds to the security of your account. The other actually puts you at elevated risk of having your money stolen. If both of these methods have similar names, and people sometimes use those names interchangeably, how would you know the difference?

This is the story of two-step verification and two-factor authentication. To understand why we’re using these technologies at all, we need to talk about passwords.

Passwords Don’t Always Protect

A number of years ago, people in the computer industry began to realize that passwords are often a very weak method of authenticating someone’s identity. Passwords can be guessed by malicious programs created by thieves and scammers. Additionally, people often reuse passwords between sites. So, if one site is hacked and your password is exposed, the hacker will have access to your account on multiple sites. 

That’s why the IT community started encouraging people to use an additional method for validating their identity. We call this two-factor authentication (or “2FA”)1. 2FA requires both something you know (your password) and something you have (an authenticator code stored on a physical device) to login.

The authenticator can be a specialized hardware device, but most of the time it’s an app that’s installed on your phone. Either way, this authenticator contains a cryptographic code that is only known by the authenticator and the service that you’re trying to connect to (eg: Google, Facebook, LastPass, etc). If that service detects a login from an unfamiliar device, it asks for a code from your authenticator. The code is regenerated continually (typically every thirty seconds). This way, only a person who knows your password and has the authenticator can log into your account. Chances are, that’s just you.

A Bad Shortcut

However, many services short-cut their solution with an older process called “two-step verification”. Users often dislike having to install a separate authenticator app. So instead of an app, the service will send an SMS text message with a one-time code to verify a new login. This may seem like the same process, but there’s a serious shortcoming: SMS is terribly insecure. Both SMS and our telephone system at large are prone to all sorts of exploits. The underlying technologies were designed decades ago, and security was not always baked into those designs. 

It wasn’t long before thieves started finding clever ways to circumvent two-step by exploiting these shortcomings.” This has allowed scammers to use tricks and hacks in order to gain access to people’s PayPal accounts – these digital smash and grab techniques recently cost a Vancouver man $3,700.

How to Stay Safe

It’s important to understand that two-step and 2FA are not the same thing. As you’ve just seen, two-step can actually put your accounts at greater risk of being hacked. Unfortunately, many providers – including PayPal – are using the two terms interchangeably.

You can greatly increase the security of your account by turning on 2FA, if you’re okay with always entering a code from an authenticator app on your phone when you log in.

Here’s how to use an authenticator with PayPal:

1. Download an authenticator app for your phone – Google Authenticator is one of the most popular
    
2. Log into your PayPal account
    
3. Go to Settings (gear icon), then Security
    
4. Scroll down – next to where it says “Two-step verification” click Set up
   Note: We won’t be using two-step specifically, but this is what PayPal calls it
   
5. Select the Use an Authenticator App option and click Set It Up
   
6. Open Google Authenticator on your phone
    
7. Click the + icon, and select Scan Barcode
    
8. Point your phone’s camera at the barcode on screen – when the barcode has been successfully added, Google Authenticator will show a new six-digit code in the main list
    
9. Return to PayPal and enter the code from your authenticator app – this code will regenerate every thirty seconds, so make certain you’re using the current code
    
10. Click Confirm – you’re done!

You can add the authenticator codes to other devices you trust, such as a tablet or a close friend’s phone. This way, if your phone is stolen, you’ll still have a way of getting access.

Thieves and scammers are clever people using increasingly sophisticated techniques which rely on tricking people. As users, we need to keep up by bolstering our personal security procedures. It takes a little extra effort, but it might very well save you thousands of dollars.

Jesse Schooff is a veteran IT professional and technical communicator. As a volunteer blogger for OpenMedia he specializes in issues of privacy and information security. You can find more of his writing at geekman.ca