What is it and why should you care?

Two factor authentication is just one of a few phrases that mean essentially the same thing, commonly abbreviated to 2FA or similar.  MFA, multi factor authentication, is closely similar but allows for the possibility of more than 2 factors such as time and location (i.e. if a normally UK resident is attempting to log in from Sweden at 3:00 am that might be considered unusual and possible indication that it’s not you but an interloper). Google calls it 2SV – two step verification but essentially the same thing.

MFA is defined as Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometric).

You may be directed to use Google’s Authenticator app but I suggest you use authy.com With Authy you are not limited to authorisation via mobile phone or your PC. Web sites that use 2FA may offer printable single-use backup codes so you can still login if you don’t have access to the authenticator program.

Online and computer security is a major concern. Over the past quarter century we’ve all been progressively encouraged to use stronger and more complex passwords but accounts still get hacked. You may use good strong passwords like 2^LTZnAe&qaK4@ but if a malicious third party manages to find it your security is gone and strong passwords are difficult to remember so people write them down or use the same password for multiple purposes.  2FA security is far more difficult to defeat than passwords (almost impossible). There’s another article here that explains more: Why should I care about Email security

You will be increasingly aware of the use of one-time passcodes sent as text messages and fingerprint recognition on a mobile phone. Those are examples of MFA, you know a password, you have a cryptographic identification device (your mobile phone) and the something you are factor is fingerprint recognition on your phone.

Google has long battled to make gmail a leader in email security. For example they bought the expensive market leading spam filter Postini in 2007 and incorporated that technology into gmail (free).  They use SSL email encryption where possible (only works if both sender and recipient email services use SSL). They were early adopters of 2FA in Gmail and that’s what led me to writing this. For several years Google have attempted to encourage users to sign up to 2FA but takeup has been poor.  The security conscious, especially those working with computers, were early adopters and tried to encourage others to use it too but with too little effect. 

Nobody likes change but it is a very effective way to improve your security and is not difficult to use.  In normal use you’ll barely be aware of it but if you (or a hacker) try to access your email from a different computer or mobile phone there’ll be an additional step to gain access.  That makes it near impossible for the hacker.