It's been literal years that 2FA (two factor authentication) has been a thing, and yet people still aren't using it. "It's too much of a hassle" - Friend whose Epic games account was hacked by a Russian Player. I don't understand how it's more of a hassle than recovering a stolen account.

Authy is a 2FA application that helps lock down your accounts online. A lot of us use Twitch.tv and they support Authy. Heck a lot of places do! Generally anywhere that tells you to go download the Google Authenticator support Authy as well. I don't use the Google Authenticator anymore as Authy does it all and better.

woman holding an iphone
Photo by William Iven / Unsplash

So how does 2FA actually work? There are different kinds of 2FA. Sometimes the service will send an email to you with some codes. You then have to provide the codes back to the service. For instance on Epic Games I have the email 2FA set up (Who cares about Epic Anyway). Essentially I log in using my email address and password. They then ask for my code which they sent to my email. I go to my email and copy/paste it into the epic launcher and I am logged in. The other kind of 2FA that this article is going to talk about is an authenticator app. You scan a QR code that the service gives you. From there Authy will add it to your account. Then you get your codes from the Authy app. They change every 30 seconds.

So you might be asking why this is helpful. Simply put a lot of the "hacking" today is done via passwords dumps around the internet. For example when a company is breached and the passwords are placed on the internet for anyone else to use. What malicious users do now is repeat those credentials around the internet to gain access to your account.  Credential Stuffing is a well known tactic that is used to accomplish this. Let's say you use the same password for your Facebook account as you did for some Mom and Pop shop website. Well, turns out the Mom and Pop shop's website was breached. They know your logging credentials to the Mom and Pop shop, and now they will try those credentials on anything they can think of. They hop over to Facebook and the credentials work. Great so now they try other accounts as well say you Banking account. That worked too so that's fun!

If you had 2FA on the Facebook and Bank account then the malicious users would not have gotten through. Facebook/Bank would have asked for the 2FA code, and that changes every 30 seconds so there is no way that the hackers should have access to that. (It's not impossible, but you aren't as important as you think you.) This stops them dead in their tracks and your account is safe.

Image from Authy's website

Above is what the application looks like when fully set up. As you can see on the image of the phone there is a token (2FA code) for Facebook. When you log in to Facebook it will ask for the token, and then you provide it. You can see that the token expires in 13 seconds. When that happens you will be provided a new Token. Sometimes it's best to wait for it to refresh instead of trying to log in with 5 seconds left. Below that is the other 2FA accounts that are synced with Authy for this user. If you need some help getting it set up make sure you check out the Authy Guides.

Once you have 2FA set up it is extremely important that do not reuse any of the credentials for the account. You have to treat this like a Bank account. This is a layer of security to keep people out of all your stuff even including your Bank account. It's not something you want to just hand out. Keep it safe and let it keep you safe.