Guide to stronger passwords, Part 1 (two-factor authentication)

Tips & tricks
6 mins
A mobile device with a password.

This is Part 1 of our stronger password series. For the other parts, click below:

Part 2 (Password Managers)
Part 3 (Diceware)

ExpressVPN has written a three-part series in which we highlight three easy ways to make your accounts more secure.

The first part (this one) is all about two-factor authentication (2FA). Two-factor authentication is a great way to make your accounts and services more difficult to break into by creating a secondary password that is only valid for a short amount of time.

Part 2 focuses on password managers. We present three password managers that can store your passwords and logins securely so that you don’t have to remember them.

In Part 3, we’ll take a look at diceware and explain how to create strong and unique passwords that are also easy to remember. You can use diceware to generate a master password for your password manager, for your Bitcoin brainwallets, or for any other account you wish to make more secure.

Jump to…
What is a two-factor authentication (2FA) code?
How effective is 2FA?
Why do you need 2FA?
How 2FA can protect against brute-force attacks
How to set up 2FA
Generating 2FA codes by SMS
Generating 2FA codes with an app
Using a USB security key (U2F) for 2FA

What is a two-factor authentication (2FA) code?

Instead of relying solely on a username and a single password to sign in to online accounts, 2FA adds another layer of security by requiring a second piece of information to proceed. 

This usually comes in the form of a one-time code, which can be sent to you via SMS, email, or an authenticator app. These codes are usually only valid for a short period of time—generally a few minutes—to drastically lower the risk of someone being able to steal them.

How effective is 2FA? 

A Microsoft report in 2019 found that enabling 2FA can block 99.9% of automated attacks. So if one of your online accounts offers 2FA, enabling this feature drastically improves your online security.

Why do you need 2FA? 

Because computers are terrible at authenticating passwords. Passwords have been around a lot longer than computers. Over the centuries, they have been used to identify messengers and soldiers or to gain access to assemblies and fortresses.

The fundamental difference between a password policy enforced by humans and one enforced by computers is that computers have a hard time taking other relevant factors into account.

For example, a computer can often not distinguish between a person or a program entering a password. Humans will judge a face, clothing, and movements before authenticating a person, but a computer cannot. And while it would surely be suspicious if a person were to randomly yell words at a guard in an attempt to guess a password, this behavior might not seem strange at all to a computer.

Computers are getting better at authenticating people, though. New systems are able to take into account the rate and rhythm at which you type your password and use additional biometric authentication, such as your fingerprint or face.

While such innovations are convenient, they are best used as one of multiple methods of authentication rather than as a replacement for a strong password.

How 2FA can protect against brute-force attacks

Though most services limit the number of guesses a user can make for a password, it is possible for an attacker to guess and check every possible password for your account. This is called a brute-force attack.

A brute-force attack could crack a single password under 15 numerical digits within a day. And anything under 18 characters could still be guessed within a year. Even if your password contains both letters and numbers, it needs to be at least ten characters to prevent it being potentially cracked within a day. (Top tip: use ExpressVPN’s Random Password Generator to create strong passwords.)

But let’s just say a hacker was able to crack your long, random password. So long as you’d set up 2FA, they still wouldn’t be able to access your account without your 2FA code.

How to set up 2FA

There are plenty of ways to obtain a 2FA code. You can use a combination of any of the following, or just pick the one that best suits your needs. Just keep in mind the benefit—and limitations—of each method of 2FA.

Generating 2FA codes by SMS

A few services will ask you for a second code every single time you log in. Services such as Facebook, Twitter, Google, and Dropbox will send a text message to your phone containing this code. This code must then be entered into the website in order for you to log in to your account.

But this is far from perfect. If your phone can’t get any reception, you run out of battery, or you are traveling overseas and want to avoid roaming charges, you could end up locked out of your account.

Losing your phone could also potentially lock you out of your account until you can get a new SIM card issued with the same phone number. But this method also contains a security risk as an attacker could also trick your mobile phone provider into issuing a duplicate SIM, or find a way to reroute your text messages directly to them.

Snooping governments could be reading your text messages silently or prevent the SMS from even reaching you (or both!). This would allow them to effectively render your SMS codes useless. At the very least your phone would give away your location while it is receiving the text message, which is something you might want to avoid.

Generating 2FA codes with an app

Google Authenticator and Authy are two of the best apps for generating 2FA codes instead of having them sent to you via text message. Generating the codes on a phone app means they are never in transit, which makes them impossible to intercept.

This process does make you more dependent on your device, though. And if it is out of battery, broken, or missing, you might get locked out of your account. If you are unable to get the device running again, or you lose it, it can be a huge hassle to regain access to your Google Authenticator-protected accounts.

Some authentication services will allow you to create emergency codes in such a case, which you have to store securely elsewhere (such as in an encrypted file on your computer). Other services might ask you for a secondary phone number, where they can reach you in case your primary number is lost and your 2FA needs to be disabled.

However, such a phone number might then be used against you, as explained above.

Using a USB security key (U2F) for 2FA 

Instead of getting 2FA codes from your phone or a remote server, you could generate them on a dedicated USB device, also called a security key or U2F (universal second factor). These small USB sticks (sometimes as small as a fingernail!) plug into your computer or phone. 

U2F is very easy to set up, and many popular services, such as Facebook and Google, allow the system on their websites. The U2F authentication system will create a prompt to your browser, after which you will be able to plug your U2F key into the USB slot and press the button or touchpad on its surface. A key will be generated and automatically submitted to the website as your secondary password.

Without the U2F key and a physical touch, it’s impossible to log in to your accounts, and therefore very hard to hack. It also protects from phishing attacks, as it verifies the integrity of the connection between you and the server you are visiting.

Such a hardware key cannot be copied or forged, but it does come at a cost upward of 20 USD.

Protect your privacy with secure passwords

We strongly encourage you to use two-factor authentication with the services that you use the most (such as email, social media, or banking).

Nothing else will improve your online security as much, for such little effort.

Not sure which 2FA method is best for you? This guide will help you decide.

Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.