T-Mobile hack is every reason you need 2-factor authentication. How and why to use it

T-Mobile has spent the last week doing damage control after the wireless carrier admitted it’d been hacked. Thus far, T-Mobile has discovered that 54 million customers have had their personal information accessed, including names, addresses, birth dates and Social Security numbers. 

Whenever breaches like this happen, it’s common to wonder what more you can do to protect your personal information from scenarios that could expose your sensitive information to hacking and fraud. The answer is: a lot. Start by creating and using complex passwords stored in a password manager, and then enable two-factor authentication for every account you have that supports it as a way of boosting the security of your account. You should also check to see if your account passwords are already on the dark web, and then change them; again, use a password manager. 

Two-factor authentication may sound technical, but while it can be time-consuming to set up for every account, it’s simple enough. Below I’ll explain what two-factor authentication is and how it works, offer some best practices and provide a shortlist of popular websites that support this added layer of security. Trust me, it’s worth it. 

What is two-factor authentication?

Two-factor authentication (also sometimes written as 2FA) is also commonly referred to as two-step verification or multifactor verification. For simplicity’s sake, I’m going to refer to it as two-factor authentication or 2FA for the duration of this post. 

Think of two-factor authentication as an extra layer of security for your online accounts. If you’re not using 2FA on an account, your login process involves entering your username and password, and that’s it. Two-factor authentication adds an extra step to that process. First, you’ll enter your username and password, then you’ll be asked to enter a one-time passcode (sometimes also called an OTP) which is typically a six- to eight-digit number. You obtain that number, which changes every 30 to 60 seconds, via an app or a text message. 

Once you’ve entered that code, only then are you granted access to your account. 

Effectively, a would-be bad guy would need to know your username and password and have taken over your phone number or have physical access to your phone and your authenticator app of choice to sign in to your bank’s website or your email account. There’s still something to keep in mind, though. 

Don’t use SMS to retrieve your codes. Use an app instead

When two-factor authentication first started to roll out to various websites and services, nearly all of them only supported sending your one-time password via text message. And while that’s a convenient and easy way to receive your codes, it’s also wildly insecure due to SIM swap fraud. 

SIM swap fraud occurs when someone calls your wireless carrier impersonating you and convinces the employee to change the SIM card linked to your phone number. With all your incoming calls and text messages now being routed to someone else’s phone, they can sign in to any online account of yours that’s been part of any sort of data breach or hack. 

Making matters even worse are hacks like the recent T-Mobile breach that not only included enough of a customer’s personal information for anyone to impersonate you when they call customer care, but also the PIN codes that customers added as an extra security step. 

See how quickly things can spiral out of hand if you’re using text messages to receive, say, your bank’s 2FA codes? 

If at all possible, use an authenticator app like Google Authenticator or a password manager to store your 2FA temporary codes. 

I use a password manager to create and store all of my account passwords, along with my one-time passwords. The app not only lets me know when a new service supports two-factor authentication, but it also will copy and paste the code when I’m logging in to an app or website, making the entire process of using 2FA painless.

In addition to being more secure, an app doesn’t require an active internet connection to show you the current code assigned to your account. That means if you’re traveling and on a plane, you can still access your code — something you can’t do if you have to receive it via SMS. 

But two-factor authentication seems like a hassle! 

You’re right, to some extent 2FA is a hassle. But it could be worse. The longest part of the process is getting it set up for all the online accounts you have that support it. After that, waiting for a code via text messaging or using an app to access the code is a breeze and something you’ll quickly adjust to just being part of your normal routine. 

I don’t particularly enjoy using two-factor authentication, especially on my Apple account because it sends an alert to every single device I own, but I do it because it keeps my personal data and financial information secure. If someone were to gain access to my accounts, they could quickly wreak havoc with my personal and professional life, and it would take weeks or even months to put all of the pieces back together. 

Don’t believe me? Read this story from CNET’s sister site ZDNet. Mobile contributor Matthew Miller had his T-Mobile SIM card swapped, and the perpetrator then quickly deleted his entire Google account, used $25,000 from his bank account to purchase bitcoin and locked him out of his Twitter account — and that was just in the first hour or so. 

The small inconvenience of two-factor authentication will go a long way in keeping you from an even bigger hassle. 

Don’t gloss over saving your recovery codes

When you go through the process of setting up two-factor authentication, you’ll be prompted to save a recovery code (or a series of recovery codes). DO NOT SKIP THIS STEP. 

That recovery code is what you’ll use to get back into your account should something happen and you lose access to your two-factor authentication codes. It’s not something that companies like Apple take lightly. Without that code, your account is as good as closed, and with it all of the data it holds. 

Hypothetically, let’s say you have your 2FA codes arriving via text messaging. After a fun night out with friends, you realize your phone is gone, and with it, access to your OTP codes. And the only way to sign in to your bank account or your carrier is with a one-time password, unless you have a recovery code. 

Trust me, as someone who has had to use a recovery code a time or two, future you will thank present you for saving your recovery code. 

I suggest saving anything related to recovery in a password manager and taking a screenshot of the code that you can store in a secure place, even if that means printing it out and keeping it in a file. 

Instructions for two-factor authentication on popular websites and services

Here are the links to either the proper account settings page to set up 2FA, or to the appropriate support page detailing how to enable 2FA for popular companies and websites. If a company isn’t listed below, I recommend searching for the company name with two-factor in the query (e.g. “Facebook two-factor”). 

• Apple
• Google (Click Get Started at the top of the page, log in to your account and then follow the prompts.)
• Facebook
• Amazon (Go to Login & Security, click the Edit button next to Two-Step Verification and follow the instructions.)
• Microsoft
• PayPal
• Instagram
• Dropbox
• LinkedIn
• Slack (Sign in, click Expand next to two-factor authentication and select Set up two-factor authentication.)
• Twitter
• Snapchat

The website 2fa.directory has a searchable database with direct links to the appropriate support page for many websites. You should also take some other steps to protect your personal info, and here’s what you can do to limit the chances of experiencing SIM swap fraud yourself.