Get started with two-factor authentication (2FA)

Your username and password are like a goldmine to a cybercriminal. Because having these allow them to log into your account, and to easily rob and scam you. Adding an extra lock makes it harder for cybercriminals. Two-factor authentication (2FA) is an excellent example of this. Two experts advise you on where to start.

Two-factor authentication, multi-factor authentication, two-step verification, or even 2FA or MFA. All these names cover the same idea: in addition to your password, use an extra way to prove that you really are the owner of your account. To log in, you not only need your password but also, for example, your fingerprint, a code that you receive via text message, or a separate app.

Weak passwords

Why is 2FA important? “Because the passwords we use are not always secure,” says cybersecurity expert Erwin Hasenpflug of the Digital Trust Center (DTC). “It is difficult to use a unique, strong password for every account. Unfortunately, we know that the name of our favourite football club is still high on the list of commonly used passwords, and that people reuse passwords on different accounts.” If cybercriminals get to your accounts through these vulnerabilities, they can steal data or money. With 2FA you put an extra lock on your account.

From text messages to a keyring

2FA comes in many shapes and sizes. In online banking, it is normal to need a security code after using your password. Accounts on major platforms such as Google and LinkedIn are also secured with an SMS code or via an app. You can also sometimes use your fingerprint. There are several free and easy-to-download authenticator apps (in Dutch) for your phone. And there are physical devices (in Dutch) or USB ‘keys’ that you hang on your keyring. Do you want to log in to an account? Then insert the key into the USB port of your laptop. 

Those few seconds are worth the extra security.

Which 2FA should you choose?

Which type of 2FA should you choose? “It does not matter which type you choose,” says Hasenpflug. “But if you can arrange two-factor authentication, do so. Yes, receiving a code via SMS is less secure than an authenticator app. An attacker can intercept a text message by taking over the phone number by SIM swapping (in Dutch). But 2FA via SMS is still more secure than with just your password. It takes extra time to log in, which is a disadvantage. But those few seconds are more than worth the extra security.”

Start with your email account

It is safest to set up 2FA for as many accounts as possible. But that takes time and effort. Where do you start with multi-factor authentication (in Dutch)? “Start with your email”, advises Hasenpflug. “If criminals have access to your email, they can reset all your accounts. You use your email address as a username almost everywhere, from Facebook to your accounting package. So, make sure your email account is extra secure.”

2FA and VPN

If you are going to use 2FA you may run into problems. What if your IT admin says your secure VPN connection does not work with 2FA? “Logging in via two-factor authentication and working via a VPN connection can go together”, says Hasenpflug. “But maybe your IT service provider needs to adapt systems if you want to use both. Talk to your IT service provider first about what exactly you want to secure, and then about what you need to do that.” 

Phone not working

Sometimes you discover a disadvantage of 2FA when it is too late. For example, what if your phone falls in the water or breaks? Then you can no longer receive codes via the authenticator app or SMS, so you can no longer log in to your account.

Duo sim

Evelien Bras, the owner of security company The Cyber ​​Partners and director of security foundation FERM, has a tip. “Most mobile phone operators offer duo sim. That is a second SIM card for the same phone number. Put that second card in your drawer. Or even better, in your safe. If your phone falls in the water, you will be up and running again in no time!" 

Recovery Codes

Are you using 2FA via an authenticator app on your phone? Remember that the app is linked to that particular phone. If your phone falls in the water, you can no longer use the app to log in to your accounts. Installing the app on a new phone is useless because the app is linked to the device that is in the water. 

Bras recommends checking in advance how to restore the app when choosing an authenticator app. “The authenticator apps I know each have their own recovery mechanism. Such a recovery mechanism is, for example, a backup in the cloud, or works via recovery codes that you can keep in a secure location.” You write down the recovery code and put it in a secure location, for example, a safe. If your phone breaks, you can use the recovery code to link your authenticator app to a new device. 

Do not forget

Two-factor authentication is a fairly simple way to make your accounts more secure.

Read this summary of the most important tips from Hasenpflug and Bras:

  1. Can you use 2FA for an account? Do it.
  2. Any form of 2FA is safer than no 2FA.
  3. To get started, set up 2FA for your email account.
  4. Check the options for recovery codes or another recovery option.