What is two factor authentication and why you need it

A strong password is a good lock. Two factor authentication is the second lock. If a thief picks the first, the second still keeps them out.

This sounds obvious, but the data shows most people still rely on a password alone. According to Microsoft research, multi factor authentication blocks more than 99% of automated account takeover attempts. It is the single highest leverage security upgrade available to a normal user.

Here is how it works, what types exist, and which ones to actually use.

The basic concept

Authentication works on three categories of proof:

• Something you know: a password, a PIN, the answer to a security question.
• Something you have: a phone, a hardware security key, a chip card.
• Something you are: a fingerprint, a face scan, a voiceprint.

Single factor authentication uses one of these. Two factor authentication, or 2FA, requires two from different categories. Multi factor authentication, or MFA, is the broader term that covers two or more.

The reason this works is simple. A stolen password is a thing the attacker knows. To get past 2FA, they also need something you have. That second factor is much harder to steal at scale.

The types of 2FA, ranked

Hardware security keys (best)

A small USB or NFC device, like a YubiKey or a Google Titan Key, that you tap or insert to log in. Built on the FIDO2 and WebAuthn standards. Phishing resistant by design, because the key cryptographically verifies the actual website you are signing into. A fake login page cannot harvest the key.

The downside: you have to carry the key, and you should have a backup. They cost about $35 to $80 CAD per key. Best for high value accounts: email, banking, password manager, government portals.

Authenticator apps (very good)

Apps like Authy, Google Authenticator, Microsoft Authenticator, and 1Password generate a six digit code that changes every 30 seconds. The technical name is TOTP, time based one time password.

The codes never travel over a network until you type them, which means they cannot be intercepted in transit. They work without cell service. They are free.

The main risk is phishing. If you type your TOTP code into a fake site, the attacker can use it within the 30 second window. Hardware keys solve this by tying the proof to the real domain. App based codes do not.

Push notifications (good, with caveats)

Some services send a push notification to your phone asking you to approve a sign in. Convenient, harder to phish than codes you type, but vulnerable to MFA fatigue, where attackers spam you with prompts hoping you tap approve out of frustration.

If you use this, get into the habit of denying any prompt you did not initiate.

SMS codes (better than nothing, not great)

A code texted to your phone. The most common form, because it requires no setup beyond having a number. Also the weakest.

SMS can be intercepted via SIM swapping, where an attacker convinces your carrier to move your number to their device. It can also be redirected through telecom signalling vulnerabilities. The Canadian wireless carriers have improved their controls in recent years, but SIM swap attacks still happen.

Use SMS only when nothing else is available, and treat it as a stopgap until you can switch.

Where to turn it on first

You do not have to enable 2FA on every account at once. Start with the accounts that, if compromised, would unlock everything else:

1. Your primary email. If an attacker controls your email, they can reset every other password. This is the master key.
2. Your password manager. Same logic. Lock it tight.
3. Your bank and government accounts. CRA, Service Canada, your provincial portal.
4. Anything financial: investment accounts, cryptocurrency exchanges, payment apps.
5. Social media. Account takeovers here are used for fraud against your contacts.

This list of five covers most of the realistic damage someone could do with a stolen password.

Recovery codes are not optional

Every service that offers 2FA also provides recovery codes, a set of one time use backup codes you can use if you lose your second factor. Save these.

The right place is your password manager, in the secure note attached to the account. The wrong place is an unencrypted text file on your desktop or a screenshot on your phone.

If you ever lose your phone or your hardware key without recovery codes, you may be locked out of accounts permanently. This is the most common reason people give up on 2FA after enabling it. Set up recovery from day one.

The Canadian context

The Canadian Centre for Cyber Security recommends multi factor authentication as a baseline control for all individuals and businesses. The federal government's Sign In Canada service supports MFA on most departmental portals.

The CRA's My Account specifically requires multi factor for new sign ins, a control rolled out after the 2020 credential stuffing breach that affected over 11,000 taxpayer accounts. Most major Canadian banks now require it for online banking. If your bank does not, ask why.

Common objections

It is annoying. The first week, yes. After that, the prompts feel routine. Most apps remember the device for 30 days, so you are not entering a code on every login.

What if I lose my phone? This is exactly what recovery codes are for. Some authenticator apps, like Authy and 1Password, also sync your codes across devices.

What if 2FA is not offered? Then the account is more vulnerable, period. Use a stronger and more unique password there, and watch the account closely. We cover detecting compromise in how to check if your password has been leaked.

The takeaway

Two factor authentication turns a password breach into a non event for most accounts. The setup takes about 15 minutes per account. The protection lasts as long as the account exists. There is no other security control with that ratio.

Start with your email. Add your password manager next. Then work down the list as you have time. Within a month you will have closed the most common attack path against the average user.