Two-Factor Authentication (known as 2FA) is one measure a lot of companies use to keep their customers’ accounts safe from intrusion.
One common example of 2FA in action is when you forget your password to an online account: you click the link to reset your password, and you receive an email or text message (at the mobile number you provided on your account) containing a six-digit code that you must type or paste in to verify that the account owner is the one requesting the password reset.
It's based on the assumption that an unauthorized person probably doesn’t have access your mobile phone. It works okay, unless a scammer manages to get between you and 2FA. Here’s a scenario:
A scammer starts by obtaining your Gmail address and mobile phone number (a lot of this information—about everyone—is already available from data breaches and leaked databases, or from our own carelessness online). The scammer goes to the Gmail website and performs a password reset, then contacts you through text, posing as a Google tech who needs that six-digit code to fix something wrong with your account.
If you provide this code, the scammer will be able to login to your Gmail account and change your password, locking you out. Once they have control of your email account, they can read your messages to find where you have social network and financial accounts, and use 2FA (using the email account they now control) to once again perform password resets on all of those accounts. You end up locked out while the scammer transfers money out of your accounts and uses your social media accounts to defraud others by pretending to be you.
The most important thing about two-factor authentication is this: never reveal a verification code to ANY other person. If you’re requesting a password reset, type or paste the code as instructed. Anyone else contacting you to ask for a code is attempting to break into your accounts. In other words, if you get a verification code out of the blue, watch out for someone to contact you, asking for the code. Never give it to them.
It’s also important to keep your mobile number and email addresses updated on any accounts you may have, if that information changes at any point. In addition to the security aspect, it’s also a lot easier to reset a password if they’re sending the verification code to your correct phone number or email address.
