You know the old saying “less is more?” When it comes to securing your digital life, that phrase couldn’t be further from the truth.
Do you remember the passwords for all of your different accounts? If the answer is yes, that probably means many of them are identical, or a variation of the same combination of letters and numbers. If that describes your situation, stop reading this article and go set up a password manager right now.
Even if you’ve got different, secure passwords for every account, however. you’re not done yet. Data breaches are depressingly common, with a new one hitting the headlines every week or two. Unencrypted Wi-Fi connections, malware, and even someone snooping over your shoulder in a cafe can all expose your login details to people who shouldn’t have them.
You need something else, some kind of tool or technique that stops other people from logging in as you even if they have your account information. Fortunately, that tool exists.
Known as two-factor authentication (2FA,) it’s a simple and effective way of adding extra protection to your online accounts. Despite becoming increasingly common in recent years, however, many people still don’t really understand what it is or how it can protect them, so they don’t bother setting it up.
If that sounds like you, read on!
What Is Two-Factor Authentication?
Two-factor authentication uses two different approaches to confirm your identity when logging into an app, website, or computer system. These two approaches are usually broadly defined as “something you know” and “something you have.”
The “something you know” is your password or PIN number. It’s a combination of letters, numbers, symbols, etc, that in theory only you should know.
It’s the way we’ve typically protected our accounts for decades, but it has some obvious drawbacks. Creating and remembering strong passwords isn’t easy (at least if you’re not using a password manager), and data breaches happen all the time.
If anyone gets hold of your password, they can easily log in as you. Even worse, since people often reuse their usernames and passwords, a breach of one website can open the door to many others.
Increasingly, you’ll find mobile devices replacing “something you know” with “something you are.” In other words, they’ll use a fingerprint or facial scan for the first part of the authentication instead of entering a password. That approach is more convenient, but no more (in fact, arguably less) secure than a strong password.
That’s where the second part of the equation comes in: “something you have.” This second factor takes different forms, but the theory is the same: you need to enter a one-time code along with your password. Since only you should be able to generate that code, other people can’t log in as you even if they know your password or fake your fingerprint.
The end result? Stronger security and better protection of your data, albeit with some challenges for travelers.
Types of Two-Factor Authentication
An increasing number of apps and sites now let you enable two-factor authentication, and many of those holding sensitive information (like online banking) require it.
In the past, this required carrying a physical object around with you. Often it was a key fob or credit card-sized device that displayed a changing code. This approach can still be found today, especially from traditional banks. Have two bank accounts? You need two authenticators. Three accounts? You get the idea.
Easy to break and easier to lose, this approach is inconvenient at the best of times and a real problem for travelers. Get caught in the rain or misplace your bag, and you’re locked out of online banking until you get back home.
These days, two-factor authentication is more likely to make use of a device you probably already own: a phone, ideally of the smart variety. Codes are generated via an authentication app or sent via text message, and are typically only valid for a few minutes.
The big advantage for travelers here is that a single device can receive or generate codes for any number of different services. There’s no need to keep track of a handful of different key fobs.
One final alternative is a hardware device that plugs into your phone or laptop. The most common version is the Yubikey, although other vendors offer similar products.
Able to support multiple services, it’s an interesting and secure approach. For travelers, though, it’s again another small gadget to lose or break that’s difficult to replace while traveling. In general, it’s a better option for people who don’t travel regularly than those who do.
Drawbacks to Text-Based Two-Factor Authentication
Receiving authentication codes via SMS can be convenient, and works with pretty much any phone, but it’s not without its problems. Some of these issues apply to anyone using text-based 2FA, while others are specific to international travelers.
To start with, there have been several cases of hackers using technical flaws or social engineering to receive two-factor text messages intended for someone else. This is a targeted attack that’s unlikely to affect most casual travelers, but is a security problem nonetheless.
The bigger issue for travelers is receiving text messages while overseas. You’ll need a working phone and an affordable roaming plan, and even then, reliability is a problem. Text messages often show up late or not at all when you’re roaming on an overseas network, and there’s nothing you can really do about it.
This assumes, too, that you’ll keep using your home number when traveling, which many travelers don’t. Local prepaid SIM cards are typically much cheaper than roaming if you’re in a country for any length of time.
If you’re using a local SIM, though, you’ll need to keep swapping back to your home SIM every time you need to receive an authentication code unless you have a dual-SIM phone or carry a second phone.
One partial solution is to get a new Google Voice number, or port across your existing number if you’re US-based. As long as the services you use accept a US number, you’ll be able to receive calls and texts via the app or website anywhere you have an internet connection.
It works pretty reliably, although we’ve had the occasional issue with texts from certain companies never arriving. It’s a good option if you’re traveling long term and your bank etc doesn’t support app-based authentication.
Why App-Based Two-Factor Authentication Is Better
There is a better way of dealing with two-factor authentication texts than SMS and Google Voice, however: a dedicated app.
Two-factor authentication apps link with your accounts on services that support them. Any time the service requires a code, the app creates one for you to enter. The keys are ever-rotating, typically only valid for a minute or so, and available even if your device doesn’t have internet access at the time.
There are several of these services on the market now, with Google Authenticator being the most widely used. However, newer players are slowly gaining ground, with some offering features that make them a better choice for travelers.
Authy, for example, goes where Google Authenticator doesn’t: your desktop. Unlike Google’s version, Authy supports multiple devices. If you happen to lose your phone or drop it in the bath, you’re not locked out of all your accounts. Having had that happen to us, Authy’s approach is a godsend.
Which Services Support Two-Factor Authentication?
The number of apps and websites that support two-factor authentication continues to grow. If you’re looking for details on how to set it up, we’ve linked to the instructions for several popular services below.
- Google – information page
- Dropbox – information page
- Facebook – information page
- Lastpass – information page
- Amazon Web Services – information page
- WordPress – information page for plugin
- Drupal – information page
- Paypal – information page
- WhatsApp – information page
- Instagram – information page
- Uber – information page
- Squarespace – information page
- TransferWise – information page
- Twitter – information page
- Microsoft – information page
- Dashlane – information page
- Apple – information page
- LinkedIn – information page
- Snapchat – information page
This is by no means an exhaustive list, since the number of sites that support (and sometimes even require) two-factor authentication gets longer by the second. Feel free to complete it with services of your own!