I've been stressing two-factor authentication (2FA), or two-step verification, in my early columns here at Private I, because I believe most people avoid using this extra protection for their accounts due to the fuss and management, and may think it will lock them out of access or require an extra step when it's unnecessary.
But 2FA isn't an obstacle course with bottomless pits. It's more like a flu vaccination. If you're not feeling ill and aren't worried about getting sick, you might skip the innoculation. That does you a fat lot of good when you're laid up for two weeks with aches and fevers with one of the strains covered by the current shot--and you've infected all your coworkers.
Likewise, as with backups, the precaution doesn't feel good at all--it's only when you could have had your account cracked, and didn't, that you feel the sweet relief. When you begin to receive a series of password-reset messages secure in the knowledge that without that second factor, someone can't get into your account? When you hear about a rash of password cracks and you're not affected? It's a balm.
Modern 2FA systems aimed at consumers and small businesses, and many for enterprises, avoid the use of keyfobs and other hardware keys--having to carry around those doodads is certainly a reason people avoided 2FA in the past. Among other things, you typically needed one per website or company! I still have eBay/PayPal and stock-trading doohickeys, and while I haven't lost them, it's a thing I have to keep track of and keep secure. Instead, most services either require or offer as an option the use of an authentication app that creates a limited-use code.
Apps trump SMS
Google offered one of the first widely used such apps, Google Authenticator, to allow average people to make use of 2FA without relying on SMS transmission. SMS is not considered highly secure: there are a number of ways for people or institutions to intercept SMS, whether over the air or through centralized systems. (I wrote last week about how SMS forwarding in Yosemite with Continuity will send second-factor SMS codes to any Mac or iOS device logged into the same iCloud account and with that feature enabled. In limited cases, it elevates risks, and you can easily mitigate them.)
Those risks are minimal or nonexistent for most (not all) of us, but SMS has a lot of limits and quirks. I've sometimes seen messages show up 30 minutes after a service apparently sent them, or never. If you travel outside of your home cellular service country or region, you might pay a small fortune for each text, or be unable to receive SMS at all. You might be somewhere rural with Internet service and no cell coverage, which has happened to me a surprising number of times on vacations. Authentication apps are a good alternative for all these reasons.
Sign up for CIO Asia eNewsletters.