Passwords are broken.
Even so, passwords are still important. They’re just not nearly as effective as they used to be. People use weak passwords and re-use them from site to site. Additionally, hackers have harvested billions of usernames and passwords. For these reasons, passwords on websites aren’t nearly as secure as they used to be.
That’s why it’s important to use two-factor authentication for any important website account, including your bank, your trading accounts, and yes, even your domain name registrar.
How it works
Two-factor authentication (2FA) is an additional layer of security on top of passwords. It acts as a sort of second password when logging into sites.
This way, if someone manages to get your username and password to a website, they still can’t access your account unless they have access to your “second factor”.
Odds are you’ve already used 2FA without realizing it. A common example is when your bank sends a text message with a code you must enter before accessing your account.
Three types of 2FA
Text messages are the most rudimentary form of 2FA used today and also the weakest form of 2FA. There are three primary forms of 2FA currently in use.
- Text messages – after entering your password, the business sends a text message to you with a one-time code. You must enter this on the website within a fixed period of time to complete the login process. While convenient, this is the least secure method because people can intercept these messages. However, it’s still worth using SMS-based 2FA if it’s the only option a website offers. It’s still significantly better than just using a password.
- App-based codes – a step up is to use an authenticator app such as Google Authenticator, available on both Android and iOS. Authentication apps work with multiple websites, so you only need to download one app to log in to multiple sites. The apps generate rolling codes that change about twice every minute. After entering your password at a website, the site will prompt you to open the app to find the current code. There are still some risks to this form of 2FA. Some thieves will try to trick you into entering your password on a fake site and then prompt you for your 2FA code. If you give the code, the thief can immediately log into your account.
- Physical keys – physical keys are the current gold standard for 2FA. They’re also easier to use than the other forms. A physical key is a small device that plugs into a computer USB port or connects wirelessly to your computer. When you enter your password, the site will ask you to touch your key or press a button on it, depending on the type. Keys can be used on multiple websites. Physical U2F security keys start at about $25.
Setting it up
Namecheap offers all three types of 2FA to secure your account, and it’s remarkably easy to set up. You’ll find the process very similar to how other sites activate 2FA.
Namecheap’s text-based 2FA has an additional option where you can approve logins through the Namecheap app.
If you prefer to use an app-based code, you’ll log into your Namecheap account and use your phone’s camera to scan a QR code. It takes about a minute to set up.
Namecheap also supports physical 2FA keys, which are the best method to secure your account. With a physical key, someone who knows your username and password still won’t be able to get into your account.
When setting up 2FA using an app or physical key, Namecheap provides you with a list of backup codes if you lose access to your phone or physical key. Make sure to print these and keep them in a safe place.
With malware and hacked passwords readily accessible on the web, it’s more important than ever to step up your security game. Set up two-factor authentication today.
Find out more about web security on our blog and also why you should set up 2FA for your business email.
Why you need to use two-factor authentication everywhere .