Step 2: Multi-Factor Authentication Explained (2FA/MFA)

If you are new to online security, the term “multi-factor authentication” aka "2FA" or "MFA" or "TOTP" can sound more complicated than it actually is. In simple terms, it just means using more than one method to prove that you are really you when logging into an account.

Most people already use one factor without thinking about it (a password). The problem is that passwords alone are no longer very reliable. They can be reused, guessed, leaked in data breaches, or stolen through phishing or malware.

Multi-factor authentication, often shortened to MFA, adds another requirement on top of your password. Even if someone gets your password, they still can't login without the second factor.

What Counts as a Second Factor

There are a few common types of second factors.

Something you have: This could be a passkey that's generated on your phone (I don't trust these with how phones can be cloned), an app that generates a code like BitWarden Authenticator (my runner up favorite), or a physical security key like a YubiKey (my top favorite).

Something you are: This includes biometrics like a fingerprint or face scan. (I'm not a fan of these)

The most common form people encounter is a one-time code (TOTP) that changes every 30 seconds- you get asked to enter this after entering your password.

Side note/important: If you can, having a backup MFA method to get into your accounts is ideal, don't rely on just one in case something happens to that method (you lose your key, replace your phone, get locked out, etc). If it only allows you to enable one, then do what you can- but a lot of apps and websites (like BitWarden for example) will allow you to set up as many MFA methods as you like. Take advantage of that! :)

Why I recommend BitWarden

Bitwarden is a free password manager, so instead of clicking "Remember Password?" in your browser or on your phone keychain- both of which are un-encrypted and easily copy-able- you manage your passwords within an encrypted app. This way if anyone ever did get access to your phone, they still wouldn't be able to get all of your passwords.

Instead of using the same password everywhere, Bitwarden helps you generate and store strong, unique passwords for each site. You can either do a complete mix of random letters, numbers, and symbols, or you can choose to use phrases separated by and including symbols, numbers, etc. If the platform or app you're creating a password for has a character limit you will use the mixed option and set the character limit to whatever it needs. You'll never have to type this jumbled password in, you'll just copy and paste it so don't worry about it! :)

Bitwarden also supports multi-factor authentication for protecting access to your vault itself (vault is what the password manager is called, and having MFA enabled on the login for your vault is absolutely mandatory because it houses ALL of your passwords!). Once you sign up for BitWarden you want to set up 2FA/MFA on your BitWarden login itself in a browser right away (write your password down when you register for BitWarden with a NEW EMAIL- not one that may be possibly compromised -then log in in a browser and enable MFA. (Click here for instructions on how to set up MFA for your BitWarden vault)

BitWarden Authenticator (TOTP)
& How it Works

The Bitwarden Authenticator generates time-based one-time 6 digit passcodes that refresh every 30 seconds (& it's also free!). When a website uses app-based MFA, the login process usually looks like this:

1. You enter your username and password

2. The site asks for a one-time code

3. You open your authenticator and copy/paste or enter the current code within the timeframe before it refreshes

Bitwarden can store these MFA entries alongside your passwords once you enable "sync with BitWarden" in the settings, or you can use the standalone Bitwarden Authenticator app by itself (I have both downloaded and have them sync). Either way, the codes are generated locally on your device and are not sent through text messages or email which can be really unsafe, especially if you've been targeted by abusers.

Why SMS + Email Verification Codes Are Not Ideal

Many services still rely on sending 2FA/MFA codes via text message as their only form of verification. While this is better than having no MFA at all, they have known weaknesses and shouldn't be relied on if possible. (I'd use email first, then SMS last if absolutely necessary.)

If someone takes control of your phone number or intercepts your texts, they may also receive your login codes. This can happen through carrier account takeovers or number porting attacks, sometimes even silent carrier level compromises. Authenticator apps avoid this issue because they do not depend on your phone number or cellular network.

Hardware Keys as a Higher Level of Security (YubiKey)

A YubiKey is a small physical device that you either use through NFC connection, or plug into your phone/computer to use as a second factor of authentication. This physical key is unable to be cloned remotely which makes it an incredibly secure authentication method. You will keep it on a keychain, but you should NOT bring it with you everywhere. Keep it safe, at home, for the rare instances you have to log into something that requires it.

So instead of typing in a code, you insert or tap the key when logging in. The key cryptographically proves your identity to the service you are logging into, and it will even prevent you from logging into suspicious websites if they try to fake a login prompt. (With this said, when buying a YubiKey make sure that it'll work for your phone's data port (you might need to take your phone case off for it to plug in, not a huge deal), or that your phone can use the tap/wireless method- NFC, AND consider if you'll need to use it on your computer. If you will need to log into things onto your PC, you might want to consider getting a secondary USB key that can function as a backup/2nd MFA method just for your PC.)

Some tips from my own personal love of YubiKey use-

1) Get a YubiKey cover off Etsy or from some small home 3D print shop and keep that on there, it just keeps your key safe, then put your key + cover on a lanyard (so you don't lose it, they're fairly small) and store it in a secret place that no one else can access (a safe would be ideal).
2) This YubiKey isn't something you keep with you 24/7, this is a highly secure special key that you should keep safe at home. If you're going on a business trip and you might need it while you're gone for a while, go ahead and take it but leave it in a lock box or keep it packed away (not on you). This is not something to add to your every day lanyard or keychain because of someone gets a hold of it, even though it'd be really difficult to clone... The chance is always there.
3) Having backup YubiKey's that you set up on all of your important services is ALSO a great idea as a fail safe. So have 1 that you use all the time, then follow the steps and set up a 2nd one on your accounts. Keep that backup key stored away in a separate safe location in case some day you lose your key.

Setting up 2FA/MFA Priority List

If you're setting up 2FA/MFA for the first time on your accounts, I made a list to help you prioritize which accounts to tackle first, especially if you've been targeted by abusers.

► Critical: Your current and previous Apple ID/Samsung ID/Whatever Cloud/Phone login IDs first!
► Highest Priority: ALL of your old emails next, then anything you know is compromised (settings being changed, etc).
► High Priority: Financial (paypal, venmo, cashapp, 401k, investments, anything work related, cryptocurrency – you will need to move your crypto portfolio to a new wallet if you were compromised)/banks, utilities, govt websites, healthcare, medical, social medias, rent portals, USPS informed delivery, online security cameras (we’ll talk more about these shortly) etc.
► Medium Priority: Apps you love, whatever you use every day, gaming service logins, streaming services, online shops, Amazon- especially if it’s linked to devices that listen in or monitor your home (Alexa, voice activated anything, cameras, etc), grocery stores, delivery services, etc.

► Low Priority: Random one time use logins on websites you bought something from once, an app you tried for a week, rewards memberships, etc. If you still care about these definitely reset them, but they’re definitely not emergency reset level. Save them for later if you’re scrolling down your saved logins list.

2FA/MFA: Minorly Annoying, Majorly Secure

Having a few extra steps to logging into your accounts seems like it might be annoying, but honestly you get used to it really fast and every single time you do it you will be reminded of how secure you've made your systems. Investing in your own peace of mind is absolutely worth it, you won't regret it!

Multi-Factor Authentication Explained
(2FA/MFA + SMS + TOTP + YubiKey)