Blog
← Back to Blog
June 30, 2016 cybersecurity

Two-Factor Authentication: The Best Free Security Upgrade You're Not Using

Smartphone with security authentication

We've written about passwords a lot. The LinkedIn breach. The Panama Papers. Credential stuffing. The common thread: stolen passwords lead to compromised accounts. The solution we keep recommending: two-factor authentication (2FA).

But we haven't written a dedicated guide to actually setting it up. Let's fix that.

What Two-Factor Authentication Actually Is

Authentication factors fall into three categories:

  1. Something you know: A password or PIN
  2. Something you have: A phone, a hardware key, or a smart card
  3. Something you are: A fingerprint or facial recognition

Two-factor authentication requires two of these three. Usually, it's your password (something you know) plus a code from your phone (something you have). Even if an attacker steals your password, they can't log in without also having your phone.

Why It Matters

Microsoft's security research team reported that 2FA blocks 99.9% of automated attacks on accounts. Google found similar results. The reason is simple: most attacks are automated. Bots try stolen credentials from data breaches against thousands of services. They can handle passwords. They can't handle a constantly-changing code from a device they don't possess.

After the LinkedIn breach exposed 117 million passwords, any account that used the same password as LinkedIn was vulnerable. If those accounts had 2FA enabled, the stolen passwords would have been useless.

The Three Types of 2FA

SMS Codes (Good)

A text message with a 6-digit code sent to your phone. It's the most common type and it's better than nothing. The downside: SMS can be intercepted through SIM-swapping attacks, where an attacker convinces your carrier to transfer your number to their device. For most practice use cases, SMS 2FA is adequate.

Authenticator Apps (Better)

Apps like Google Authenticator, Microsoft Authenticator, or Authy generate time-based codes on your phone. The codes change every 30 seconds and don't rely on cell service or SMS. This is what we recommend for most business accounts.

Hardware Keys (Best)

Physical devices like YubiKey that plug into your computer's USB port. They can't be phished, intercepted, or remotely compromised. For high-security accounts (admin accounts, banking), hardware keys are the gold standard.

Where to Enable 2FA Right Now

In order of priority:

  1. Email: Your email is the master key to everything. If someone controls your email, they can reset passwords on every other account. Enable 2FA on your email first.
  2. Banking and financial accounts: Anywhere money can be moved.
  3. Practice management software: If your PMS supports it, enable it.
  4. Cloud storage: Dropbox, Google Drive, OneDrive.
  5. Social media: Especially if your practice has business accounts.
  6. Remote access tools: VPN, RDP, remote desktop software.

Common Objections (and Why They Don't Hold Up)

"It's inconvenient." It adds about 10 seconds to your login. You'll save hours dealing with a compromised account.

"What if I lose my phone?" Set up backup codes when you enable 2FA. Store them somewhere safe. Authenticator apps like Authy also support cloud backup of your tokens.

"My staff won't do it." Make it mandatory. This isn't optional security hygiene. It's a baseline requirement.

"We don't have anything worth stealing." You have patient records, financial data, insurance information, and bank accounts. Yes, you do.

Five minutes per account. Free. Blocks 99% of attacks. There is no better return on investment in all of cybersecurity.