2FA requires a phone call to your phone to login. Thereby making it harder/pretty impossible for a hacker/attacker to login on your account without also having your phone.
I recommend 2FA for your email as well as for any exchange you use.
The 2FA Joshuar uses may require a phone call.
The 2FA I have is called "Google 2-step Verification". It is an app which I have on my phone. It does not require me to accept a phone call. Rather the app cycles thru a list of 6 digit numbers. This number is asked for by the website. The app on my phone provides the correct 6 digit number.
The 6 digit number itself changes every 20 seconds. How does the app always have the right number for the website??
The two use the same long list of 6 digit numbers and they scroll through them in syncronistic lock step with each other. They stay in sync because when you first set up 2FA, the two start moving down the list at the same time.
The military uses a similar tool to secure communications although they use it for anti-jamming radio purposes. Pilots and soldiers on the ground will talk over radios. Both the radio in the plane and the radio on the ground rapidly change the frequency they're communicating over, again the change is made in sync. This way if any single frequency is jammed, they will only be talking over that frequency for fractions of a second and comms wont be interrupted significantly.
The ideas are similar though. Two parties use a pre-agreed upon list. They cycle thru the list. They do this in sync because they both started the list at the same time and change to the next item on the list at a pre-determined time increment. 20-30 seconds for 2FA. Multiple times a second for military "Have Quick".
What are the weakness of this approach? Just some speculating here however...
Is every Google2FA using the exact same list or is every list different?
A broken clock is right twice daily. Perhaps someone could (small chance here in my mind) break into your account etc if they had your login and password credentials from wherever and then "broken clocked" the 2FA.
Is the provider of Google 2-SV trustworthy? Is there an open source alternative?
In information security there are three items used to provide identity verification and then secure access to info.
Who you are.
What you know.
What you have.
Passwords are a single facet. What you know. The password. This is a single layer of security.
2FA adds a second layer of security by also creating a "what you have" requirement for access. The current technology is 2FA (Google 2-SV) on a device which most people carry, their phone.
So 2FA will add a second layer of protection anytime you believe a password alone isn't sufficient to secure something. Like internet money.
And hopefully your phone is in your possession. You can lock yourself out (although there are secure workarounds) if you lose your phone without backing up your 2FA key.
How do people break passwords on a non-2FA?? How do they find your password? Are you using a password instead of a pass-phrase?? The resources to educate yourself already exist in abundance all over the web.
Wanna really beef up your security? Add the third layer; Who you are, in addition to the other two.
Use a phone with a finger print sensor (who you are). On which you have 2FA(what you have). Only with those two layers of security satisfied can you finally use your pass-phrase (what you know) on a website to access your account.
If someone gets thru that then.....
