Google’s own data proves two-factor is the best defense against most account hacks

Every once in a while someone will ask me what is the best security advice.

The long answer is “it depends on your threat model,” which is just a fancy way of saying what’s good security advice for the vast majority isn’t necessarily what nuclear scientists and government spies require.

My short answer is, “turn on two-factor.” Yet, nobody believes me.

Ask almost any cybersecurity professional and it’ll likely rank as more important as using unique or strong passwords. Two-factor, which adds an additional step in your usual log-in process by sending a unique code to a device you own, is the greatest defense between a hacker and your online account data.

But don’t take my word for it. Google data out this week shows how valuable even the weakest, simplest form of two-factor can be against attacks.

The research, with help from New York University and the University of California, San Diego, shows that any device-based challenge — such as a text message or an on-device prompt — can in nearly every case prevent the most common kind of mass-scale attacks.

Google’s data showed having a text message sent to a person’s phone prevented 100 percent of automated bot attacks that use stolen lists of passwords against login pages and 96 percent of phishing attacks that try to steal your password.

Account takeover preventing rates by challenge type. (Image: Google)

Not all two-factor options are created equal. We’ve explained before that two-factor codes sent by text message can be intercepted by semi-skilled hackers, but it’s still better than not using two-factor at all. Its next best replacement, getting a two-factor code through an authenticator app on your phone, is far more secure.

Only a security key, designed to protect the most sensitive accounts, prevented both automated bot and phishing attacks but also highly targeted attackers, typically associated with nation states. Just one in a million users face targeted attackers, Google said.

For everyone else, adding a phone number to your account and getting even the most basic two-factor set up is better than nothing. Better yet, go all in and shoot for the app.

Your non-breached online accounts will thank you.

‘Crypto exchange’ Goxtrade caught using other people’s photos on its staff page

Alleged cryptocurrency exchange Goxtrade bills itself as a “trusted platform for trading bitcoins,” but its staff page is filled with photos of people of pulled seemingly at random from the internet.

The alleged exchange, which claimed to debut in 2017 yet its website is only a little more than a week old, used photos taken from social media profiles and other company websites not associated with the company.

Bizarrely, the alleged exchange didn’t bother to change all of the names of the people whose photos it used.

Amber Baldet, co-founder of Clovyr, a prominent figure in the blockchain community, and listed in Fortune’s ’40 Under 40′, was one of the people whose name and photos appeared on the site.

“Fraud alert: I am not a developer at Goxtrade and probably their entire business is a lie,” she tweeted Friday.

Nearly all of the names are accurate but have no connection to the site. (Image: TechCrunch)

Goxtrade claims to be an exchange that lets users “receive, send and trade cryptocurrency.” After we created an account and signed in, it’s not clear if the site even works. But the online chat room has hundreds of messages of users trying to trade their cryptocurrencies. The site’s name appears to associate closely with Mt. Gox, a failed cryptocurrency exchange that collapsed after it was hacked. At its 2014 peak, the exchange handled more than 70 percent of all bitcoin transactions. More than $450 million in bitcoins were stolen in the apparent breach.

Baldet isn’t the only person wrongly associated with the suspect site.

TechCrunch has confirmed the other photos on the site belong to other people seemingly chosen at random — including a claims specialist in Illinois, a lawyer in Germany, and an operations manager in Melbourne.

Another person whose photo was used without permission is Tom Blomfield, chief executive of digital bank Monzo. In a tweet, Blomfield — who was listed on the alleged exchange as “Arnold Blomfield” — said his legal team has filed complaints with the site’s hosts.

But things get weirder than just stolen staff photos.

Hours after the site was first flagged, Cloudflare now warns users that the alleged exchange is a suspected phishing site. (Image: TechCrunch)

GoxTrade lists its registered address as Heron Tower, one of the new skyscrapers in London. We checked the listings and there’s no company listed in the building of the same name. There’s also no mention of Goxtrade in the U.K.’s registry of companies and businesses. When we checked its listed registered number per its terms and conditions page, the listing points to an entirely unrelated clothing company in Birmingham.

Later in the day, networking giant Cloudflare, which provides its service, flagged the site as a phishing site.

We reached out to Goxtrade by email prior to publication but did not hear back. When we checked, Goxtrade’s mail records was pointing to an email address run by Yandex, a Russian internet company.

It’s not the first time a cryptocurrency startup has been called into question for using other people’s photos on their staff pages. After raising more than $830,000, Miroskii was caught listing actor Ryan Gosling as one of its graphic designers. Almost every photo later transpired to have been lifted from another source. The company later claimed it was hacked.

Cryptocurrency-related scams are not rare. Many have taken what they’ve raised and gone dark, never to be seen again. We’ve covered a fair number here on TechCrunch, including a massive $660 million scam from 2018.

A fair warning with Goxtrade: all signs seem to point to yet another scam.

Read more:

Google recalls its Bluetooth Titan Security Keys because of a security bug

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says that the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including YubiCo, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” YubiCo founder Stina Ehrensvard wrote when Google launched its Titan keys.

Binance pledges to ‘significantly’ increase security following $40M Bitcoin hack

Binance has vowed to raise the quality of its security in the aftermath of a hack that saw thieves make off with over $40 million in Bitcoin from the exchange.

The company — which is widely believed to operate the world’s largest crypto exchange based on trading volumes — said today that it will “significantly revamp” its security measures, procedures and practices in response. In particular, CEO Changpeng Zhao wrote in a blog post that Binance will make “significant changes to the API, 2FA, and withdrawal validation areas, which was an area exploited by hackers during this incident.”

Speaking on a livestream following the disclosure of the hack earlier this week, Zhao said the hackers had been “very patient” and, in addition to targeting high-net-worth Binance users, he suggested that attack had used both internal and external vectors. That might well mean phishing, and that’s an area where Zhao has pledged to work on “more innovative ways” to combat threats, alongside improved KYC and better user and threat analysis.

“We are working with a dozen or so industry-leading security expert teams to help improve our security as well as track down the hackers,” Zhao wrote. He added that other exchanges are helping as best they can to track and freeze the stolen assets.

The real focus must be to look forward, and in that spirit, Binance said it will soon add support for hardware-based two-factor-authentication keys as a method to log in to its site.

That’s probably long overdue and, perhaps to make up for the delay, Zhao said the company plans to give away 1,000 YubiKeys when the feature goes live. That’s a worthy gesture but, unless Binance is giving out a discount code to redeem on the website directly, security purists would likely recommend users to buy their own key to ensure it has not been tampered with.

The final notable update is when Binance will resume withdrawals and deposits, which it froze in the wake of the attack. There’s no definitive word on that yet, with Zhao suggesting that the timeframe is “early next week.”

Oh, and on that proposed Bitcoin blockchain “reorg” — which attracted a mocking reaction from many in the blockchain space — Zhao, who is also known as CZ, said he is sorry.

“It is my strong view that our constant and transparent communication is what sets us apart from the “old way of doing things”, even and especially in tough times,” he wrote defiantly, adding that he doesn’t intend to reduce his activity on Twitter — where is approaching 350,000 followers.

Justice Department charges Chinese hacker for 2015 Anthem breach

U.S prosecutors have brought charges against a Chinese national for his alleged involvement of the 2015 data breach at health insurance giant Anthem, which resulted in the theft of 78.8 million records.

Fujie Wang, 32, and other unnamed members of a China-based hacking group, are charged with four counts of conspiracy to commit fraud, identity theft and computer hacking.

Names, addresses, dates of birth, employment and income data, Social Security numbers and highly sensitive medical information were stolen in the breach.

The hackers are also accused of breaking into three other businesses — a tech company, a basic materials firm, and a communications giant — none of which were not named in the indictment.

The FBI-issued wanted posted for Fujie Wang, a China resident. (Image: FBI)

Prosecutors said the hackers used “sophisticated techniques to hack into the computer networks of the victim businesses without authorization” — including spearphishing attacks. The hackers said to have “patiently waited months” after they broke into the health insurance giant’s systems before they stole data.

The hackers are said to have stolen the 78 million records over a month between October and November 2014 by transferring large archive files from Anthem’s data warehouse back to China.

Anthem disclosed the breach in February 2015. The company later paid $115 million to settle lawsuits relating to the breach.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said U.S. assistant attorney general Brian Benczkowski in remarks. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their personal identifiable information.”

Wang is currently wanted by the FBI.

Russian hacked ‘at least one’ Florida county prior to 2016 election

Russian operatives successfully targeted and hacked “at least one” Florida county government in the run up to the 2016 U.S. presidential election, according to new findings by the Special Counsel Robert Mueller.

The report, published Thursday by the Justice Department, said the county was targeted by the Russian intelligence service, known as the GRU. The hackers sent spearphishing emails to more than 120 email accounts used by county officials responsible for administering the election, the report said.

According to the findings:

In August 2016, GRU officers targeted employees of [REDACTED], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network… the spearphishing emails contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer.

The findings are a significant development from previous reporting that said Florida’s election systems were merely targets of the Russian operatives.

Sen. Bill Nelson (D-FL) was derided after he claimed just days before his eventual re-election that hackers had gained access to the state’s election systems. According to NBC News, some of Nelson’s assertions were based off classified information that was not yet public.

Nelson’s remarks came almost a year after The Intercept published a classified document — later discovered to have been sent by since-jailed NSA whistleblower and Reality Winner — showing that intelligence pointed to a concerted effort by the GRU to target election infrastructure. The NSA said the hackers sent emails impersonating voting technology company VR Systems to state government officials.

The Orlando Sentinel confirmed Thursday following the release of Mueller’s report’s that Volusia County was sent infected emails containing malware, suggesting Volusia County — north of Orlando — may have been the target.

Mueller’s report confirmed that the FBI investigated the incident.

The office of Florida’s secretary of state said that Florida’s voter registration system “was and remains secure,” and “official results or vote tallies were not changed.”

Two years later following the 2018 midterm elections, the Justice Department and Homeland Security said there was “no evidence” of vote hacking or tampering.

A new state-backed hacker group is hijacking government domains at a phenomenal pace

A few months ago, researchers at Cisco’s Talos cybersecurity unit sounded the alarm after discovering a previously undiscovered hacker group targeting a core part of the internet’s infrastructure.

Their alarm was heard: FireEye quickly came out with new intelligence warning of a “global” domain name hijacking campaign targeting websites of predominantly Arab governments. The campaign, dubbed “DNSpionage,” rerouted users from a legitimate web address to a malicious server to steal passwords. Homeland Security warned the U.S. government had been targeted, and ICANN, the non-profit charged with keeping the internet’s address book, said the domain name system (DNS) was under an “ongoing and significant” attack and urged domain owners to take action.

Now, Talos researchers say they have found another highly advanced hacker group, likely backed by a nation-state, which they say has targeted 40 government and intelligence agencies, telecom firms and internet giants in 13 countries for more than two years.

“This is a new group that is operating in a relatively unique way that we have not seen before.” Craig Williams, Cisco Talos

“We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage,” said the Talos report out Wednesday, seen by TechCrunch.

The group, which Talos calls “Sea Turtle” — an internal codename that ended up sticking — similarly targets companies by hijacking their DNS. That allows the hackers to point a target’s domain name to a malicious server of their choosing. This clever site-spoofing technique exploits long-known flaws in DNS that can be used to trick unsuspecting corporate victims into turning over their credentials on fake login pages, which the hackers can use for further compromise.

“This is a new group that is operating in a relatively unique way that we have not seen before, using new tactics, techniques, and procedures,” Craig Williams, director, outreach at Cisco Talos, told TechCrunch.

The hackers first compromise an intended target using spearphishing to get a foothold on the network, then use known exploits to target servers and routers to move laterally and obtain and exfiltrate network-specific passwords. The hackers then use those credentials to target the organization’s DNS registrar by updating its records so that the domain name points away from the IP address of the target’s server to a server controlled by the hackers.

Once the target’s domain is pointing to the malicious server, the hackers can run a man-in-the-middle operation to impersonate login pages and scrape the usernames and passwords of the staff as a way of getting deeper access into the network. The hackers also used their own HTTPS certificate for the target’s domain from another provider to make the malicious server look like the real thing.

With the credentials for greater network access in hand, the hackers aim to obtain the target’s SSL certificates used across the corporate network, granting greater visibility into the organization’s operations. The attackers also stole the SSL certificates used in security appliances, like virtual private networks (VPN), which were used to steal credentials to gain access to the organization’s network from outside its walls.

Using this same technique, Talos said that the hacker group compromised Netnod, a DNS provider in Sweden and one of the 13 root servers that powers the global DNS infrastructure. In February, Netnod confirmed its infrastructure was hijacked. The successful attack allowed the hackers to steal the passwords of administrators who manage Saudi Arabia’s top-level domain — .sa — suggesting other Saudi-based companies could be in the hacker group’s crosshairs.

Williams said Talos can “conclusively” link the Sea Turtle hackers to the Netnod attack.

In another case, the hackers gained access to the registrar that manages Armenia’s top-level domains, allowing the group to potentially target any .am domain name.

Talos wouldn’t name the targets of the attacks nor name the registrars at risk, citing the risk of further or copycat attacks — and the researchers wouldn’t name the state likely behind the group, instead deferring to the authorities to attribute. But the researchers said Armenia, along with Egypt, Turkey, Swwden, Jordan, and the United Arab Emirates were among the countries where it found victims.

Given the eventual targets included internet and telecom infrastructure companies, foreign ministries, and intelligence agencies in the Middle East and Africa, Williams said the group’s primary motivations are to conduct espionage.

Sea Turtle are said to be “highly capable,” said the researchers’ findings, and the hackers are able to maintain long-term access by using the stolen credentials.

The researchers urged companies to begin using DNSSEC, a cryptographically more secure domain name system that’s far tougher to spoof, and employing two-factor on an organization’s DNS records.

“While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,” the researchers said.

Microsoft: Hackers compromised support agent’s credentials to access customer email accounts

On the heels of a trove of 773 million emails, and tens of millions of passwords, from a variety of domains getting leaked in January, Microsoft has faced another breach affecting its web-based email services.

Microsoft has confirmed to TechCrunch that a certain “limited” number of people who use web email services managed by Microsoft — which cover services like @msn.com and @hotmail.com — had their accounts compromised.

According to an email Microsoft has sent out to affected users (the reader who tipped us off got his late Friday evening), malicious hackers were potentially able to access an affected user’s e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicates with — “but not the content of any e-mails or attachments,” nor — it seems — login credentials like passwords.

Microsoft is still recommending that affected users change their passwords regardless.

The breach occurred between January 1 and March 28, Microsoft’s letter to users said. 

The hackers got into the system by compromising a customer support agent’s credentials, according to the letter. Once identified, those credentials were disabled. Microsoft told users that it didn’t know what data was viewed by the hackers or why, but cautioned that users might as a result see more phishing or spam emails as a result. “You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source.”

We are printing the full text of the email below, but a separate email sent to us, from Microsoft’s Information Protection and Governance team, confirmed some of the basic details, adding that it has increased detection and monitoring on those accounts affected.

Microsoft recently became aware of an issue involving unauthorized access to some customers’ web-based email accounts by cybercriminals. We addressed this scheme by disabling the compromised credentials to the limited set of targeted accounts, while also blocking the perpetrators’ access. A limited number of consumer accounts were impacted, and we have notified all impacted customers. Out of an abundance of caution, we also increased detection and monitoring to further protect affected accounts. 

No enterprise customers are affected, TechCrunch understands.

Right now, a lot of question marks remain. It’s unclear exactly how people people or accounts were affected, nor in which territories they are located — but it seems that at least some were in the European Union, since Microsoft also provides information for contacting Microsoft’s data protection officer in the region.

We also don’t know how the agent’s credentials were compromised, or if the agent was a Microsoft employee, or if the person worked for a third party providing support services. And Microsoft has not explained how it discovered the breach.

We have asked Microsoft all of the above and will update this post as we learn more.

In this age where cybersecurity breaches get revealed on a daily basis, email is one of the most commonly leaked pieces of personal information. There’s even been a site created dedicated to helping people figure out if they are among those who have been hacked. Have I Been Pwned, as the site is called, now has over 7.8 billion email addresses in its database.

We’ll update this post as we learn more. The letter from Microsoft to affected users follows.

Dear Customer

Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.

Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).

It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.

If you require further assistance, or have any additional questions or concerns, please feel free to reach out to our Incident Response Team at [email protected]. If you are a citizen of European Union, you may also contact Microsoft’s Data Protection Officer at:

EU Data Protection Officer
Microsoft Ireland Operations Ltd
One Microsoft Place,
South County Business Park,
Leopardstown, Dublin 18, Ireland
[email protected]

Microsoft regrets any inconvenience caused by this issue. Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.

Asus was warned of hacking risks months ago, thanks to leaky passwords

A security researcher warned Asus two months ago that employees were improperly publishing passwords in their GitHub repositories that could be used to access the company’s corporate network.

One password, found in an employee repo on the code sharing, allowed the researcher to access an email account used by internal developers and engineers to share nightly builds of apps, drivers and tools to computer owners. The repo in question was owned by an Asus engineer who left the email account’s passwords publicly exposed for at least a year. The repo has since been wiped clean, though the GitHub account still exists.

“It was a daily release mailbox where automated builds were sent,” said the researcher, who goes by the online handle SchizoDuckie, in a message to TechCrunch. Emails in the mailbox contained the exact internal network path where drivers and files were stored.

The researcher shared several screenshots to validate his findings.

The researcher didn’t test how far the account access could have given him, but warned it could have been easy to pivot onto the network. “All you’d need is send one of those emails with an attachment to any of the recipients for a real nice spearphishing attack,” he said.

The researcher’s findings would not have stopped the hackers who targeted Asus’ software update tool with a backdoor, revealed this week, but reveals a glaring security lapse that could have put the company at risk from similar or other attacks. Security firm Kaspersky warned Asus on January 31 — just a day before the researcher’s own disclosure on February 1 — that hackers had installed a backdoor in the company’s Asus Live Update app. The app was signed with an Asus-issued certificate and hosted on the company’s download servers. More than a million users were pushed the backdoored code, researchers have estimated. Asus confirmed  the attack in a statement and released a patched version.

Through the company’s dedicated security email, the researcher warned Asus of the exposed credentials. Six days later, he could no longer log in to the mailbox and assumed the matter was resolved.

But he found at least two other cases of Asus engineers exposing company passwords on their GitHub pages.

One Asus software architect based in Taiwan — where the company has its headquarters — left a username and password in code on his GitHub page. Another Taiwan-based data engineer also had credentials in his code.

“Companies have no clue what their programmers do with their code on GitHub,” said the researcher.

A day after we alerted Asus to the researcher’s email, the repos containing the credentials were pulled offline and wiped clean. Yet when reached, Asus spokesperson Randall Grilli told TechCrunch that the computer maker was “unable to verify the validity” of the claims in the researcher’s emails. “Asus is actively investigating all systems to remove all known risks from our servers and supporting software, as well as to ensure there are no data leaks,” he added.

Granted, this isn’t an issue limited to Asus. Other companies have been put at risk by exposed and leaked credentials or hardcoded secret keys. Last week, academics found more than 100,000 public repos storing cryptographic keys and other secrets.

Among the most famous examples of exposed credentials was Uber, in which an engineer mistakenly left cloud keys in a GitHub repository, which when discovered and exploited by hackers was used to pilfer data on 57 million users. Uber was later ordered to pay $148 million in a data breach settlement.

But given Asus knew of the issues months ago amid a backdoor threat that affected more than a million users, you would have hoped for a better, more active response.

Two-factor authentication can save you from hackers

Getty Images

If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts.

Simply put, two-factor authentication adds a second step in your usual log-in process. Once you enter your username and password, you’ll be prompted to enter a code sent as a text message or an email, or sometimes as a push notification on your phone.

In all, it usually only adds a few extra seconds to your day.

Two-factor authentication (sometimes called “two-step verification”) combines something you know — your username and password, with something you have — such as your phone or a physical security key, or even something you are — like your fingerprint or another biometric, as a way of confirming that a person is authorized to log in. You might not have thought much about it, but you do this more than you think. Whenever you withdraw money from an ATM, you insert your card (something you have) and enter your PIN (something you know) — which tells the bank that it’s you. Even when you use your bank card on the internet, often you still need something that you know — such as your ZIP or postal code.

Having a second step of authentication makes it so much more difficult for a hacker or a thief to break into your online accounts.

Why is two-factor important?

Gone are the days where your trusty password can protect you. Even if you have a unique password for every website you use, there’s little in the way to stop malware on your computer (or even on the website!) from scraping your password and using it again. Or, if someone sees you type in your password, they can memorize it and log in as you.

Don’t think it’ll happen to you? So-called “credential stuffing” or brute-force attacks can make it easy for hackers to break in and hijack people’s online accounts in bulk. That happens all the time. Dunkin’ Donuts, Warby Parker, GitHub, AdGuard, the State Department — and even Apple iCloud accounts have all fallen victim to credential-stuffing attacks in recent years. Only two-factor accounts are protected from these automated log-in attacks.

Two-factor also protects you against phishing emails. If someone sends you a dodgy email that tries to trick you into logging in with your Google or Facebook username and password to a fake site, for example, two-factor can still protect you. Only the legitimate site will send you a working two-factor code.

Enabling two-factor is a good start, but it’s not a panacea. As much as it can prevent hackers from logging in as you, it doesn’t mean that your data stored on the server is protected from hackers breaching a server elsewhere, or a government demanding that the company turns over your data.

And some methods of two-factor are better than others. As you’ll see.

The best way to two-factor your accounts

Let’s get something out of the way real quick. Even if you want to go all-out and secure your accounts, you’ll quickly realize many sites and services just don’t support two-factor. You should tell them to! You can see if a website supports two-factor here.

But as credential-stuffing attacks rise and data breaches have become a regular occurrence, many sites and services are doing everything they can to protect their users.

There are four main types of two-factor authentication, ranked in order of effectiveness:

A text message code: The most common form of two-factor is a code sent by SMS. It doesn’t require an app or even a smartphone, just a single bar of cell service. It’s very easy to get started. But two-factor by text message is the least secure method. These days, hackers can easily exploit weaknesses in the phone networks to steal SMS two-factor codes. Because SMS messages aren’t encrypted, they can also just leak. More recently, researchers found that this can be done on a massive scale. Also, if your phone is lost or stolen, you have a problem. A text message code is better than not using two-factor at all, but there are far more secure options.

An authenticator app code: This works similarly to the text message, except you’ll have to install an app on your smartphone. Any time you log in, you’ll get a code sent to your app. There are many authenticator apps to choose from, like Authy, Duo, and Google Authenticator. The difference here is that they are sent over an HTTPS connection, making it near-impossible for anyone to snoop in and steal the code before you use it. But if you lose your phone or have malware on your phone — especially Android devices — those codes can be stolen once they arrive on your device.

A biometric: Smile! You’re on camera. Often, in industrial or enterprise settings, you’ll be asked for your biometrics, such as facial recognition, an iris scan or, more likely, a fingerprint. These usually require specialized hardware (and software) and are less common. A downside is that these technologies can be spoofed — such as cloning a fingerprint or creating a 3D-printed head.

A physical key: Last but not least, a physical key is considered the strongest of all two-factor authentication methods. Google said that it hasn’t had a single confirmed account takeover since rolling out security keys to its staff. Security keys are USB sticks that you can keep on your keyring. When you log in to your account, you are prompted to insert the cryptographically unique key into your computer and that’s it. Even if someone steals your password, they can’t log in without that key. And phishing pages won’t work because only the legitimate sites support security keys. These keys are designed to thwart even the smartest and most resourceful attackers, like nation-state hackers.

There are several security keys to choose from: Google has its Advanced Protection Program for high-risk users, like politicians and journalists, and its Google Titan key for everyone else. But many security experts will say Yubikey is the gold standard of security keys. There are a few things to note. Firstly, not many sites support security keys yet, but most of the major companies do — like Microsoft, Facebook, Google and Twitter. Usually, when you set up a physical key, you can’t revert to a text message code or a biometric. It’s a security key, or nothing. A downside is that you will have to buy two — one as a backup — but security keys are inexpensive. Also, if one is stolen, there’s no way to determine your account from the key itself. But, if you lose them both, you might be done for. Even the company that stores your data might not be able to get you back into your account. So, be careful and keep one safe.

That’s what you need to know. You might want to create a checklist of your most valuable accounts, and begin switching on two-factor authentication starting with them. In most cases, it’s straightforward — but you can always head to this website to learn how to enable two-factor on each website. You might want to take an hour or so to go through all of your accounts — so put on a pot of coffee and get started.

You should see two-factor as an investment in security: a little of your time today, to save you from a whole world of trouble tomorrow.

Check out our full Cybersecurity 101 guides here.