If you’re not aware of what two-factor authentication (also known as multi-factor authentication) is, here is the super-simplified explanation. It’s is an extra layer of security that many online services put in place where, besides your username and password, you need to insert a number that is generated by a specific app or sent to you via SMS. By doing this, even if someone catches your password, they cannot access your account since they don’t have your phone or access to the code above.
Should I enable it?
YES! In all services that you use that have this feature. There are hundreds of services that already allow this and have clear and easy to follow tutorials on how to do it. So, either by SMS or by token, there’s no reason not to do it. Some password managers like 1password even copy the token automatically after the authentication, so you can easily insert the number. You’ll be safe and protected.
The security “issue.”
There’s only one security issue. You! Or rather, your notification strategy. If you have a smartphone and don’t change the default notification settings, then it displays the full text of the notification, even if the phone is locked. If you have it sent to you and it shows up on your screen for everyone to see, then you lose the 2-factor benefits. Of course, people need to be close to you to see it, but let’s imagine that someone steals your phone. If you use week passwords they will be able to find it quickly if you re-use passwords on multiple websites, then they will have access to your information and, since your phone displays the notification, they have the other factor of authentication.
Here’s an example of a notification from Twitter displayed on an iPhone that allows for SMS previews.
As you can see you can get the code even without unlocking your phone, so the protection of the code becomes useless.
I go over details on how to disable this, and I strongly recommend you do an audit on your notifications, but be aware of this.
Please enable two-factor authentication everywhere where you can and perform an audit to your notifications. Every day we have news of hacked sites, where hackers publish the usernames, passwords and other information. If you don’t believe me check this website that keeps track of all the hacks and can tell you if your data is “out there” or not. Taking these precautions will enable you to protect your data from those nasty hackers.