I think I’m not the only one, but I hear quite a lot from people that there is no need for 2FA that it’s useless and it adds an extra step, when logging into service(s). Until something strange or unexpected happens. Then they usually change their minds.

So what is two factor authentication? Many services, like Facebook, X (Twitter), Reddit and Mastodon has the option to turn on the 2FA. So what it does when you turn it on is that when you login to a service, it asks you username and password, but then you got your verification code on your email or your authenticator app on your smart phone. So after you have given your username and password, it asks the verification code you received. So basicallly this double checks that you are you and not some random person or bot, who has guessed your password.

If you are using email to receive the code, it’s crucial that you don’t use the same password for the service where you are logging in and for the email. It ruins the whole idea, if some random person or bot knows the username and password combination for the service where you are logging in and to your email. So the computers or the service itself, thinks you are you, although it’s not you. So in this case, there is no reason to use 2FA, because it doesn’t do anything or it does, because it works as designed.

It’s quite common that people tell me that they doesn’t have any important information on service x. Where the x can be Facebook, LinkedIn or any other service. This is the first false thought. Almost every service has some information about you, that you don’t want to share for the rest of the world. They can be texts, images, links, contacts, bank account numbers or whatever, but they are still personal. What happens, when someone else has access to your user account. The first thing is that they are not personal anymore and the second thing is that the person or bot, who pretends to be you, can change the password for your user account. So the personal data on the service might be lost forever. It’s a bit far fetched, but basically you can consider this as an identity theft. This usually leads to frustration on the people who just said, that there is no important information on the service x.

Luckily, there is a service called, Have I been pwned?. That is quite a handy tool to check if your password has been breached. If the password has been breached, we recommend to change the password immidiately.