Use Two Factor Authentication

When using Two Factor Authentication first when logging in a user enters their username and a password as normal, but instead of immediately gaining access, they will be required to provide another piece of information (the second factor).

This second factor could come from one of the following categories:

Something you know: This could be a personal identification number (PIN), a password, answers to "secret questions" or a specific keystroke pattern

Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token

Something you are: This category is a little more advanced, and might include biometric pattern of a fingerprint, an iris scan, or a voice print

A good example of two factor authentication is something most of us familiar with, withdrawing cash from a cash machine or ATM (Automatic Teller Machine). Two things are required for a withdrawal to be approved by your bank, your valid credit or debit card (Something you have), and your 4-digit PIN (Something you know).

Common Types of Two Factor Authentication in use today include;
Hardware Tokens are small, similar to a key fob and produce a new numeric code every 30-seconds, when a user tries to access their account, they look at the device and enter the displayed 2FA code into the site or app. Some have the ability to automatically transfer the 2FA code when plugged into a computer's USB port.

SMS Text-Message and Voice-based 2FA interact directly with a user's phone, when a user tries to access their account the site or app sends the user a unique OTP (one-time pass code) via a text message or automatically calls a user and delivers the OTP code by audio. This is considered to be the least secure way to authenticate users but any 2FA must be better than none.

Software Tokens are software-generated, time-based, one-time pass codes and are the most popular form of two factor authentication. Users install a 2FA app on their smartphone or desktop and use the app with any site or app that supports this type of authentication. When a user tries to access their account, the app displays a 2FA code similar to that produced by Hardware Tokens. The user then enters the displayed 2FA code into the site or app. Apart from 2FA Apps being available for desktop, mobile and wearable platforms some even work offline.

Push Notifications for 2FA are more user-friendly, websites and apps send the user a push notification that an authentication attempt is in progress, the device owner simply views a notification details and can approve or deny access with a single touch with no additional interaction required.

We recommend the Software Token 2FA approach, there are many authenticator apps to choose from including apps produced by Apple, Google and Microsoft. Our preference is Authy which we recommend as it works on all of our devices, integrates with Bitwarden password manager and it allows multiple devices.

Visit the Authy website for details.