A user receives a message from a friend with a link to a funny YouTube video, they click it, quickly log in – and their account has already been hacked. Numerous Facebook users have experienced this scenario in recent weeks.

These messages came from hacked accounts, while the video link led not to YouTube but to a fake Facebook log-in page. Whoever logged in there sent their user name and passed directly to the hackers. They in turn immediately sent more messages via the hacked profile to lure more users into this trap.

This wouldn’t have happened so fast with two-factor authentication, however. This secure log-in procedure takes the password a step further. Not only are a user name and password required to log in, but an additional security code is also necessary. “It’s like having an additional safety lock on a door,” says Chris Wojzechowski from the Institute for Internet Security in Gelsenkirchen, Germany.

Essentially a second key is needed to get past the door. In order for this security feature to work, the two keys cannot be identical, nor can they hang on the same key chain. “They have to be different and kept apart so that security is still guaranteed if one of the keys is lost,” said Wojzechowski.

Two-factor authentication also requires two separate keys. The first is usually the password. It functions as usual and is normally set by the users themselves. Wojzechowski recommends passwords be at least eight characters long and not contain any names, birthdates or complete words, but rather a mix of upper and lower-case letters and special characters.

The second key is ideally not a password, but one of several concepts. With hardware keys, users receive a physical key in the form of a chip card, a USB dongle or a wireless transmitter and will need these on hand in order to log in.

“This form of authentication is widely used by larger companies and government agencies where users need to log in very frequently,” says Fabian Scherschel from the German tech magazine C’t. The advantage of this technique is its ease of use, but its downsides are high costs for the devices used and the risk they are easily lost.

For private customers, banks and online retailers especially have taken to using one-time codes like the mTAN. Here, an additional code is sent via SMS or app and entered when logging into a page or to approve a money transfer. The idea is that only the owner of the registered mobile number receives this code, which can only be used once. Another variant is a randomly generated QR-Code that has to be scanned by a smartphone.

The advantage here is that most people always have their smartphones on them. The procedure is also very flexible. Still, poor reception or a dead battery could thwart this process. And the first key, the password, should by no means be stored on the smartphone. If the smartphone were stolen, the thief will then have both keys. Banks should immediately be informed if a phone is lost.

The second key could also be a biometric feature like a fingerprint or facial recognition technology. This is fast and easy to use, as no additional data needs to be transmitted and most new smartphones have fingerprint sensors.

Still, biometrics are less secure than other procedures, as it is easy to copy fingerprints, for example, as they are left behind virtually everywhere. This procedure should thus not be used for highly sensitive data like online banking, although it’s certainly suitable for less important data.

Regardless of which variant is used, experts agree that two-factor authentication in any form is always more secure than a normal password. Whenever an online service offers two-factor authentication, security experts believe you should use some form of additional key. Two locks are better than one, after all. — dpa