What the Hack Is 2FA?

“Something you know, something you have, something you are.”

When I first heard about the mantra recited by two-factor authentication enthusiasts, it sounded like a wedding superstition. (Something old, something new, something borrowed, something blue.) Or perhaps, more accurately, a witches’ curse. (Double, double, toil and trouble, etc.) An exciting mantra, or a zen yoga chant. It sounded powerful, even comforting. Like if I repeated it enough times all of my precious online accounts would finally be secure.

These words are the backbone behind the idea of two-factor authentication, or 2FA. The safety protocol has become more and more prolific—you may have heard 2FA or even “multi-factor authentication” thrown around in your office onboarding process, even prompted by the security settings in one of your online accounts. It can be annoying, sure, but the more factors, the better for security. With every new edition, even our smartphones are evolving from having simple unlock codes to fingerprints to Face ID. You know, maybe as we put more and more of ourselves online, we should become more and more concerned with finding better ways to protect ourselves online.

two fac·​tor au·​then·​ti·​ca·​tion 

noun \tü – faktər ə-ˌthen-ti-ˈkā-shən\

an additional layer of security for your online accounts beyond just a username and password


So say it again, slowly: “Something you know, something you have, something you are.”

“Nearly every company now offers some form of two-factor,” writes Russell Brandom in the Verge. Much of this, he says, has to do with the site twofactorauth.org, which has been at the center of the campaign to push for two-factor authentication. The site lists whether or not websites support two-factor and, perhaps more importantly, what types of two-factor methods they support. For the uninitiated, “something you know” is akin to a password or a PIN number, “something you have” is a cell phone or a credit card, and “something you are” is a metaphysical statement as well as a digital security measure—think a fingerprint or Face ID. When protecting any account from hackers—like email, social media, Seamless, Uber, Amazon, PayPal—the idea is that being asked to provide one of these things is simply not enough. We should have to include all three.

You know, maybe as we put more and more of ourselves online, we should become more and more concerned with finding better ways to protect ourselves online.


Password cracking is a field unto itself and would-be hackers (even the lesser skilled ones) have a multitude of tools—from phishing and malware to brute force attacks—to utilize. Almost every day there’s a new data breach, wherein leaked email-password combos are out there for people to take. If you’re using the same password for multiple accounts, well, then you might be screwed. “[Online security] started with ‘something you know,’ which is passwords,” says Carl Rosengren, the chief maintainer of the website twofactorauth.org. “That didn’t work out.”

The most common method of two-factor authentication is getting a unique code sent directly to your phone via SMS. And you’d have to enter both a password and that SMS code to log in to your account. But this method isn’t as secure as we once thought. “The main problem with SMS is that when the company sends out the code they can’t verify that it goes to you. They just know that it will go to your phone number, [which] can be intercepted,” says Rosengren. Despite the passcodes or fingerprints or even Face ID, our cell phones—and more eerily, our cell phone numbers—can be just as insecure as our passwords. If you want to learn more about how hackers can trick phone companies into “stealing” your phone number, you can click here. Or just resolve to going from 2FA to “MoreFA.”

The most secure method of two-factor authentication is to have a physical hardware token, like a Yubikey. But if you—like me—are just an average internet scamp, the chances are high that shelling out money for a piece of hardware is above the laziness threshold of what you’ll do to protect your accounts. (There is also a 100% chance that I would lose said hardware immediately upon receiving it.) A good middle ground for people like us is a software token, which can come in the form of something we all know and love—an app! Authenticator apps like Authy or Duo Security can randomly generate codes that you would need to enter in along with your password when logging in to your two-factor-enabled accounts. These apps are more secure than an SMS code because, as Rosenberg explained, “The main difference is that with an authenticator app, the token is generated on your phone so it’s not sent on the wire via SMS.”

It’s not completely foolproof (to find out more, read Brandom’s article on why 2FA “isn’t the silver bullet that it seemed to be”), but it’s still a worthwhile step towards making your account more secure. Not only can an idiot like me can figure it out, but if you’re an idiot too and your password is something along the lines of “password123,” you might not end up being the easy target you once were—before 2FA.

Plus, it just makes sense. “Something you know. Something you have. Something you are.” I recite, slowly, as if 2FA’s magical mantra can clear anything up. As I say the words, I imagine my body slowly dissolving, becoming tiny little bits of data that were strewn across the digital sky. Each bit of my newly disintegrated and digitized body also had a little smiley face printed on it, because I was happy that my accounts, once wholly unsecure, now had two-factor authentication.

All of those little faces repeated it again in unison, smiling.

“Something I knew. Something I had. Something I am.”

    Clio Chang

    Clio Chang is a reporter whose work frequently appears in Jezebel, The Intercept, The Nation, and The New Republic.

    Read More