2 step verification or MFA, Multi-Factor Authentication is a security system that enhances security. It plays an important role in protecting you as a person and your data.
Time has shown that massive amounts of user data have been distributed as a result of hacking popular online services. Including those accounts that had really difficult passwords to guess or even find using Brute force attack.
You can do a simple test and see if your email address exists in any list leaked by visiting https://haveibeenpwned.com/. Most people will be quite surprised 🙂

Trusting that your username and password is safe enough, has been proven wrong so many times that I personally think its quite strange that people still rely on it.

Examples of popular online services that have been hacked and lifted for user-data are Disqus where people registered to be able to comment in discussions threads. MyHeritage, Adobe. A list over websites that had breaches where user-data was stolen is listed here: https://haveibeenpwned.com/PwnedWebsites

Why are relying on a password a problem?

Users are “lazy” and here are 5 reasons why passwords don’t provide enough protection

  • People reuse passwords. They use the same passwords both private and at work.
  • People use easy to hack passwords. An analysis of 5 million leaked passwords shows that roughly 10 percent of the users shared 25 passwords.
  • The password is written down and stored unsafe and available for others to see.
  • Weak passwords are the first any hacker tries when trying to hack an account. Using a brute force attack and a dictionary is quite easy for everyone interested in trying. That is why I like to have a policy that closes an account if someone tries to log on more than 3 times to an account. Alternatively, block the IP where the attack comes from.
  • Privileged accounts with a weak password. An entry door for full access to everything.

Another danger related to getting your credentials stolen is identity theft. Something that is quite a problem for those that have found themself in huge debt to financial institutions and can read online postings in their name promoting a political view they don’t share, or even worse. More about that problem here: https://en.wikipedia.org/wiki/Identity_theft

MFA creates an extra layer of security and will stop a cybercriminal from getting access to your accounts and data since it is you that eventually will have to give him or her access by approving a sign-on attempt.

OK, I am convinced, how?

Multi-Factor Authentication can be done using a number of methods. Typically is:

  • Code sent to an email address you control
  • Biometrics like fingerprints, facial recognition, retina scanning
  • Code generated by an app on your smartphone. Apps like Microsoft Authenticator and Google Authenticator
  • A USB device, tokens
  • Certificates and soft tokens

My preferred method is using an app. Simply because I always have my cell phone with me. Being a nerd I also have a smartwatch. Set up correctly I get the MFA authentication message on my watch and can confirm there.

Setting up Facebook for MFA (2 step verification)

FaceBook offers MFA for its users by enabling the user to request that each time he or she logs on to FaceBook from a new device or computer, the user has to add an additional code when logging in. This can be a code from the Code Generator tool in the FaceBook app or via SMS to your phone. Alternatively by using a third-party tool like Google Authenticator App. I use FaceBook as an example since most people have some relation to it 🙂 and in this example, I will use an Authenticator App.

Open Facebook and then settings by clicking the dropdown arrow to the far right in the Facebook menu bar atop your screen

Facebook Settings

Select Security and Login in the left vertical menu (see image below).

Enable MFA

Click the Edit button next to Use two-factor authentication (see image above)

Use Authentication App

Before you click the button Use Authentication App you need to install an App on your cell phone. I use Microsoft Authenticator in this case but you are free to use other alternatives like Google Authenticator or Duo. I am an Android user so the image below is from Google Play App store

Play App-Store and Microsoft Authenticator. Green button text is Norwegian and is same as Open

OK, now you have installed Microsoft Authenticator on your Cell phone and are ready to set up MFA towards Facebook (and any other MFA enabled service).

Click the Use Authenticator App button in Facebook Two-Factor Authentication dialogue (see 2 images up)

Connect App to account

Open Microsoft Authenticator on your Cell Phone. Click the 3 vertical dots in the upper right corner and select Add account

Add Facebook account

The choices are quite self-explaining and in this case, we select other account… You will now see that within the app you are able to scan the QR code presented by Facebook two-factor dialog (see image above). Scan it and the account is registered.

Account registered

In the image above you see the Facebook logo and a long ID string (your ID). In addition, you see 6 digits that will be updated every 30 seconds. This is your one-time password for accessing a system/application that is MFA enabled. You will have to confirm the process of setting up MFA with Facebook by entering the current passcode from App into this dialogue:

Verification

Type in the 6 digits displayed in your App and click Continue. Facebook will display the following message to confirm that your account now is protected using MFA.

Done

MFA/2-factor authentication is important and Apply will use it towards all systems and services. You can use the same app/token for setting up MFA towards your private accounts and services to ensure a safe and secure IT day. Happy MFA'ing :-)