PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

No More Excuses for Not Using Two-Factor Authentication

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

A recent survey commissioned by mobile identity giant Telesign revealed that 80 percent of users worry about online security, 96 percent fear being hacked, and 40 percent have actually experienced some kind of security incident. Only 30 percent expressed confidence that passwords could protect them, but they still use the same weak passwords on multiple secure sites. 68 percent said they want secure sites to provide them with an extra layer of security. Well, why don't they just use two-factor authentication (2FA)?

Why Not Two-Factor?

The survey specifically quizzed 2,000 adults in the U.S. and U.K., all of whom own a mobile phone and have at least one online account. And the biggest reason they don't use two-factor authentication is that most of them simply don't know what it is.

OK, here's the five-cent explanation. Authentication pundits identify three types of authentication: something you know (like a password), something you have (like a smartphone), and something you are (like your fingerprint). Two-factor authentication simply means that identifying yourself requires at least two of these. Simple? Well, no.

Quite a few respondents who professed an understanding of 2FA still didn't use it, offering various justifications. Some said they couldn't figure it out, or that they feared losing access to their accounts. Some just don't use any sites that offer it (as far as they know). Between those who don't know what it is and those who don't know how to use it, 2FA isn't getting much love.

Simplification Is the Future
I spoke with TeleSign CEO Steve Jillings about just where 2FA is going. Jillings pointed out that Telesign supplies two-factor authentication to major companies all over the world, and that the company has been doing so for ten years.  "We have lots of patents and intellectual property covering two-factor," said Jillings. "A key finding from our experience is that your mobile phone number is the only truly unique but identifiable form of authentication. It's unique globally."

Indeed, smartphones are nearly ubiquitous, so two-factor authentication systems that send a code to your smartphone are definitely practical. Certainly they're more practical than any sort of biometric authentication, given the need for a fingerprint reader or other biometric scanner.

I asked Jillings about authentication techniques that skip the authentication code, letting users authenticate just by tapping a button or smartwatch. "Done the right way," said Jillings, "that can work. Our own AuthID SDK supports simple allow/deny authentication. Simplification is where the future is heading. Yahoo is trying passwordless authentication, and Google is talking about it. But almost all of it revolves around the phone number as the core identifier."

Two-Factor: Turn It On
Even if you understand completely that two-factor authentication is valuable, it's still hard to know just where you can use it, and how to enable it. That's where Telesign's new Turn It On website comes in.

The site opens with a very approachable set of vignettes illustrating what 2FA is and why you should use it. But the real marvel here is the site's collection of extremely detailed instructions for turning on 2FA in over 120 secure sites organized into almost 20 categories. Telesign continues to add secure sites, and invites suggestions from users. Jillings stated that the company hopes to have the list up to 150 within a few weeks.

Facebook, Twitter, Gmail, Apple—the list includes many widely popular sites. You'll also find more task-specific sites like MailChimp, Bitcoin-Central, and E*Trade. For each site, you get detailed, step-by-step instructions for enabling 2FA, complete with screenshots. This is an extraordinary resource!

Anybody can use the Turn It On website for free—it exists to promote 2FA. If you're interested in learning more about the survey referenced above, the full report offers a wealth of detail, including differences between men and women, different age groups, and U.S. versus U.K. respondents. But before you click to dive into those details, consider taking a moment to turn on 2FA for your most sensitive accounts.

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio