October was National Cybersecurity Awareness Month. Initiated in 2004 by the U.S. Department of Homeland Security in partnership with the National Cyber Security Alliance, the monthlong project exists to encourage safe practices online.

From the private sector to public agencies, protecting data is paramount. In an increasingly interconnected and digital world, personal information can be at the touch of a bad actor’s keystrokes.

Our policy team asks, “Have you ever heard of two-factor authentication?” 


Thanks to those who participated in our survey. The results show that 94 percent of respondents have heard of two-factor authentication and only 6 percent have not. Those sound like great numbers – all the better if that knowledge is applied as action using the security measure!

Two-factor authentication is a second line of defense for online security. Many people know it the annoying websites that text you a code after you’ve already entered your username and password. Nowadays, even strong and rotating passwords are not always enough to protect sensitive personal data from sophisticated hackers or even ever-evolving artificial intelligence wielded by an adversary. The second level of security prevents bad actors who get past a password from getting your information easily.

The most common form of two-factor authentication is a text message sent with a numeric code. The theory is that only you have your phone and you would most likely have it on you to immediately corroborate your login. Sometimes this is done through an email address as well.

One reason the text message system is not the safest is that computers are often linked to our phones, such as through a MacBook and iMessage. When filling in a two-factor code, some computers and browsers will prompt users with a popup pre-filed with the code texted to your phone. If you are the only one with your computer and phone, you are likely safe. But if you lose one or the other – heaven help you if you lose both! – a bad actor could get the code as well.

A second, and more technical issue is that text message can be intercepted. If someone can get to the code before you, they can access your data before or instead of you.

Other forms of two-factor authentication are apps that provide a unique code for every log in, requiring users to use their password online then open the app and see the latest code specifically corresponding to their current log in. These codes usually expire quickly.

Whatever form of two-factor authentication you use, from text and email to encrypted mobile apps or even biometric levels like fingerprints o voice matching, a second level of security is important, especially for tax and banking purposes where identity theft is rife. This second level is not fool proof, but it raises the effort level and costs for bad actors, usually prompting them to move along to another easier target. And the more levels of security you have, the less likely anyone can get in!