Two Factor Authentication (2FA): How does it help?

Two factor authentication (2FA), also known as 2-step verification, makes it harder for someone to login to your account because when 2FA is enabled, the person logging in needs not only your password but also your phone (or similar device).

This is especially useful if you use the same password on multiple websites including Encyro. Encyro does not store your actual password and most websites with a well designed security infrastructure will not either. However, some websites may not follow the latest security guidelines and may have stored your password, or a weakly encrypted form of it. If that website has a data breach and your password is leaked, then some attackers may attempt to use that leaked password on Encyro. If you have 2FA enabled, simply knowing the password will not allow the attacker to login to your account because they will need access to your phone, to either receive the SMS code or use the Authenticator app.

Two types of 2FA

Encyro offers two types of 2FA: SMS code based and Authenticator app based.

In SMS code based 2FA, you register a specific phone number and when logging in, after you enter your password, you will be sent a text message with a numeric code that you must read off from your phone and enter on the Encyro website.

In Authenticator app based 2FA, also known as Time-based One-Time Password (TOTP) based 2FA, you install an Authenticator app on one or more mobile devices. The authenticator app is provided a secret when enabling this type of 2FA. The app then generates temporary codes. When logging in, after you enter your password, you will be asked to enter the latest such code from the Authenticator app. Each code is only valid for about 30 seconds and so the person logging in must have access to your mobile device at the time of the login (they cannot read your code once by borrowing your phone and then use it later).

Which type should I use?

Both types of 2FA provide similar security in general. The following two considerations make the Authenticator app based 2FA slightly more secure:

1. SMS messages are often displayed on the lock screen (even without unlocking your phone). So if someone steals your phone, they can receive code-by-text messages without unlocking your phone. Accessing the Authenticator app will require unlocking your phone.
2. Authenticator app may be installed on a work computer or other fixed device secured with a cable lock and other physical access controls (e.g., door locks, video surveillance). This device would be much less likely to get stolen compared to the mobile telephony device required for code-by-text based 2FA. So obtaining your Authenticator app based device can be made much harder for attackers than your smartphone.

Authenticator app based 2FA may also be preferred in the following scenarios:

• Using SMS 2FA may incur a charge for receiving the code in text messages if incoming SMS messages are not free on your cellular network plan. If you wish to avoid paying for these texts, use the Authenticator app based 2FA. (Authenticator app is free to install and use.)
• If you live, work, or use Encyro from regions where cellular network coverage is unreliable, then you may have trouble receiving the SMS message at login time. The Authenticator app does not need network coverage once its installed on your phone or other device. For example, if you will be at a remote holiday resort, with wired Internet for your computer but not very good cellular coverage, enable the Authenticator app based 2FA.
• If you will be travelling outside your home country and do not wish to activate international roaming on your phone (receiving texts when roaming internationally can be expensive), use Authenticator app based 2FA.
• Encyro may not be able to send SMS messages to phones in all countries. If your country is not on the list of countries offered when enabling SMS based 2FA, please use the Authenticator app based 2FA.

The Authenticator app is free and once installed, it can be used for not just Encyro but all websites that offer Authenticator app based (TOTP based) 2FA for login, including most popular webmail providers.

We strongly recommend that you install the Authenticator app on at least two devices, so that if one device is lost or damaged, you have a backup device to use for your login.

SMS based 2FA is preferred if you do not wish to install an Authenticator app.

Can I Use Both Types of 2FA?

You may enable both types of 2FA, and in fact its a good idea to do so. If you do, then when you login and enter your password, you will be given the option to select which of the two types you wish to use for the login.

Having both types of 2FA is useful if you use two different devices for the two types. For instance, you may use your own phone for setting up SMS based 2FA and then use your spouse’s phone, or an iPad, or even your laptop to enable Authenticator app based 2FA. Then, in case your phone is lost, stolen, or damaged, and you are unable to receive SMS messages, you can use the other device via the Authenticator app to login.

What if I Login with Google or Facebook?

If you login with an external provider, such as Google or Facebook, then you should enable 2FA in their respective account settings. Encyro 2FA only works when you use an Encyro password to login.

Google: To enable 2FA for your Google login, go to https://www.google.com/landing/2step/ and click Get Started. Then follow Google’s instructions to add one of the 2FA options offered, including Authenticator app based, or text message based 2FA.

Facebook: The instructions form Facebook to enable 2FA are available here: https://www.facebook.com/help/148233965247823