IT security at the University of Bern

Two-factor authentication: Do you already use two steps?

For email, Facebook, Ricardo, etc., you log in in one step by entering a password. But what if your password is stolen? Enabling a second step doubles the security of your data.

Step 1: something you know

When you log in to one of your accounts, you are asked to enter a password that only you know. Your password proves that it's really you trying to access your profile, pictures, or credit card account. That's why your passwords should be strong and unique.

Step 2: something you have

Passwords can be stolen. Therefore, most service providers such as Facebook, Google, or Instagram have introduced two-step authentication. The second step double-checks that it's really you trying to access your account. It can involve a smart card, a card reader, or, typically, an app: that is something only you have.

The second step
double-checks
that it’s really
you.

Information on the second step

It is actually quite simple: Instead of just entering your password (something you know), you are asked for an additional code sent to you on a second device (something you have), typically an app ("authenticator app") on your smartphone.

To enable this second step, you need to make some changes to the settings of the account in question.

Be aware that the wording often differs: sometimes you’ll need to look for "two-factor authentication" (Facebook and Twitter), other times for "two-step verification" (Google).

An authenticator is the means used to confirm the identity of a user.

An authenticator app is an application for your smartphone that does just that: it generates random codes that you are required to enter in addition to your user name and password. Once you have installed the app, you need to connect it to your account (Facebook, LinkedIn, etc.).

Set up two-factor authentication:

  1. Download an authenticator app to your smartphone from an official app store.
  2. Check the personal settings of your account and look for information on how to set up two-factor authentication.
  3. Enable the second step. Once enabled, you’ll be shown a QR code.
  4. Open the authenticator app and add a new account.
  5. Scan the QR code.
  6. Confirm by entering a code.

The most frequently used authenticator apps:

If you already use a password manager, check if it can handle the Authenticator app function (e.g., Bitwarden). This way, you can manage all login information for your accounts in one place. If the password manager also supports database synchronization across multiple devices, you won't be tied to a single physical device as your authenticator. This simplifies your workflow while maintaining the same level of security.

Why take the second step?

Protect your reputation

Criminals can steal your account details and thus your identity. Acting on your behalf, they can send messages to your contacts containing a link to a shady or even fraudulent website. Unbeknown to you, your friends and colleagues at work may receive a message from you inviting them to buy super cheap sunglasses or watch a hot video.

Protect your money and your friends

Data is valuable. Criminals make a lot of money trading it. Among other things, your stolen data is used for the following purposes:

  • to steal money from you,
  • to take over your identity to steal more data and money from your contacts, or
  • to use your accounts to do illegal business.

Which are your important accounts?

The most important accounts deserve the best security possible. What could be your most important account? E-banking, of course! But with your e-banking account, you already use two steps to log in. Here are some tips:

If you forget a password for Facebook or Ricardo, you will receive an email to confirm that it's really you trying to set a new password. Think about it: anyone with access to your email account could set new passwords and gain access to your other accounts, thus preventing you from logging in.

Your profile is visible to your friends, co-workers, and even the public. Anyone with access to your account can mess with your posts or send messages to your contacts without your knowledge, seriously damaging your reputation in the process.

If you have a website and are editing the content, anyone with access to your content management system (WordPress, Joomla, Wix, etc.) can modify or even delete your website.

Ask yourself: If you lost control over or access to your data or an account of yours,

  • could your (or your contact’s) reputation be damaged?
  • could you or your contacts lose money?
  • would it take a lot of time and effort to restore the data or your account?
  • could other accounts be affected?