Two-factor authentication (2FA) is the process of using two different ways to log in into a digital account, allowing journalists to better protect the information it contains. In this article, Reporters Without Borders (RSF) shares about the different types of 2FA and how it can increase a journalist’s digital security.
Two-factor authentication (2FA) is a security setting that requires a second step of verification to log in to a digital account in addition to the usual password, such as a PIN code sent by a text or email. This is a stronger form of protection because even if someone has access to one’s password, they cannot log in without completing the second step of verification.
For journalists, losing access to their digital accounts can mean losing their work and evidence, and potentially compromising the safety of their sources and other contacts. It is therefore recommended that 2FA should be activated for all digital accounts that have that option which would include most of the popular services like Google, Facebook, Slack, and X (Twitter).
Using 2FA in addition to a password manager, a service which makes using unique, complex passwords much more manageable, journalists can achieve a very high level of digital security. Moreover, using different types of 2FA for different digital accounts also reduces the likelihood of any one method being compromised. Below are the various types of 2FA commonly used.
1) Using a phone number to receive a login code via text
This is probably the most common type of 2FA. Services will request a phone number from the user and whenever they log in with the password the service will send a SMS text to that phone number with a code to verify. This prevents anyone who does not have access to the user’s phone from logging in. Some may be hesitant to provide their phone number to digital apps and websites, however this is a common misconception. Otherwise, there are code generator apps and physical methods to enable 2FA without providing a phone number.
2) Using the services’ own mobile app to verify the user
Some services, such as Google or many banking services, run their own app. If a journalist has the mobile app installed on their phone, and someone attempts logging into their account through a computer, a notification will pop up on their phone, as 2FA will require them to open the mobile app to confirm if the login attempt is from them.
3) Using a code generator app
2FA can also take the shape of a QR code to scan during the login process that will redirect a user to a “code generator app” on their phone with an account that is unique to them. These code generator apps, or authenticator apps such as Google Authenticator or LastPass, are tools that continuously generate unique and temporary PIN codes to serve as a second credential after the password.
4) Using a physical key — “Universal Second Factor” (U2F)
This method is new and more secure. Journalists can set up a USB drive, or a wireless NFC (near-field communication) device such as a smartwatch or smartphone to serve as a physical form of 2FA. This is called “Universal Second Factor” (U2F) and it uses the same technology as contactless payments that works only through proximity contact to a machine. In this case, the USB or NFC has to be plugged in or be in range when the user enters their password, or the log-in will not work. This method is not widely offered yet, but Google, Facebook, and Dropbox all offer it.