Understanding 2FA Two-Factor Authentication through Substack's Login Design

Last week, our pop-up store "Drifting Classroom" had its first trial run and faced heavy rain. I was prepared for zero business, but surprisingly, four readers showed up to support. While the conversations were delightful, I worry that I might have neglected some guests. One reader, a DHK token holder, even gifted a token, bringing three new stakeholders to DHK DAO from this small gathering.

Typically, I’m in hermit mode during evenings, but today (Thursday, June 20), I’m making an exception. I’ve decided to have another pop-up session from 6:00 PM to 8:00 PM at the Star Cafe in Tsim Sha Tsui—this will be Drifting Classroom #1. The format remains the same: if anyone shows up, we'll open wallets together and I’ll distribute DHK tokens; if no one comes, I'll switch to "Introvert" mode—dining and reading alone. Apologies for the short notice; let’s just go with the flow.

I often talk about blockchain and other web3-related technologies. Even if some people think it's all a fuss or even a scam, believing that web2 and centralized governance are the true path, they would still agree that information security is crucial.

In today's information society, cybersecurity has become an essential skill. If you don't learn at least a few basic techniques, you're likely to suffer the consequences. In the upcoming posts, I'll discuss topics related to cybersecurity. You'll find that regardless of your stance on web3, the relationship between cybersecurity and cryptography is inseparable.

If someone asked me what the first step in good cybersecurity is, I'd answer without hesitation: 2FA, or Two-Factor Authentication.

Yes, compared to having a strong password but lacking a second layer of defense, I’d rather a user’s password be “123456” but protected by a second verification step. Of course, this is only if I had to choose between the two—I'm definitely not advocating for weak passwords. Don’t take passwords lightly; getting hacked and then blaming me won't do any good. Let’s put it this way: 2FA is the "low-hanging fruit" of cybersecurity. Spend five minutes enabling 2FA, and your security level will immediately see a significant boost, reducing the chance of being hacked by at least 90%.

In recent years, generative AI has made rapid progress. Whenever an Alice expresses concern about AI replacing humans, a Bob inevitably jumps in to clarify that we don't need to outperform AI; we just need to know a bit more about it than others to avoid being outcompeted. The same principle applies to getting hacked: as an average user, you don’t need to be more skilled than the hacker; you just need better defenses than other users. If plenty of accounts without 2FA are ripe for the picking, why would a hacker go through the trouble of breaching your account? This is why I confidently say that enabling 2FA reduces your risk of being hacked by 90%.

However, note that this applies to "ordinary users." If you're under special attention from higher-ups, this logic doesn’t hold. Digital intrusion can be either untargeted or targeted. In untargeted attacks, hackers go for easy pickings—much like a thief choosing the bike with the weakest lock among many. If your lock is better than others, your bike won’t be stolen. Targeted attacks are a different story: if your bike is a Lamborghini and the thief is determined to steal it, then it's a real battle of offense and defense. Your shield must withstand their spear, and simply outperforming other users won’t suffice.

By spending a little time reading my articles and “getting your hands dirty” with the follow-up actions, I can assure you that you’ll be well-protected against untargeted attacks. However, if you find yourself targeted for some reason, your adversary may come from Silicon Valley, the Pentagon, Tel Aviv, Moscow, Pyongyang or Zhongnanhai, I'm just a small fry and can't offer much help. The best I can suggest is to be as careful as possible and raise the bar for any potential breaches, so at least you won't be an easy target.

As the name suggests, Two-Factor Authentication (2FA) involves using two different factors to verify a user's identity before granting access to a service.

These factors can be divided into three categories:

1. What you know: Information you know, such as passwords, birth dates or ID numbers.

2. What you have: Items you possess, like a phone, keys or an IC card.

3. Who you are: Biometric verification, such as fingerprints, facial recognition, or iris scans.

For a service to qualify as 2FA, it must require authentication using two of these three types of factors. Simply using a password doesn’t count as 2FA. Even using two different passwords isn't true 2FA because it still relies on a single type of factor. This is why translating 2FA as "two-step verification" isn't entirely accurate. While two passwords are certainly more secure than one, the added security is limited. If a hacker can crack one password, they can likely crack the second one with a bit more effort. 

2FA, on the other hand, adds a whole new dimension of security by incorporating another type of factor. It’s like moving from one-dimensional to two-dimensional security, significantly enhancing protection. Therefore, the crucial aspect of 2FA isn't the "two" but the "factor" (F).

Traditionally, the most common combination for 2FA is "password + verification code". The password is something you remember, while the verification code is generated by a device you have or received via SMS. This method utilizes the "what you know" and "what you have" factors. While cracking a password alone is often not difficult—especially since passwords people remember aren’t usually very strong—adding the second factor makes hacking significantly more challenging, requiring an entirely new set of skills.

However, it’s important to note that while this is the most commonly used combination for 2FA, it’s not my recommendation. Firstly, I advise against remembering passwords in your head, and secondly, I don’t recommend using SMS as a second factor because SMS can be easily intercepted, particularly in certain countries. I've personally experienced hackers who could read all my SMS messages.

Now, I must admit that when I said the low-hanging fruit of cybersecurity is 2FA, it wasn’t entirely accurate. What I meant is enabling verification codes on accounts that currently only use passwords. Download Google Authenticator, scan the specified QR code, and use the verification codes generated by Google Authenticator as your second factor. Google Authenticator will encourage you to sync your codes to the cloud, which is useful if your phone is lost or damaged, but it also means that if your Google account is compromised, all accounts using it for 2FA could be at risk. Therefore, I recommend not enabling cloud sync.

For now, let’s not delve into more advanced topics, such as which Authenticator app is the best. As a starting point, simply implementing 2FA as described above is already a great step. My goal is to clearly explain the concept of 2FA, so that once you understand this principle, everything else will become easier to grasp.

The "password + verification code" is the most typical 2FA combination. However, the login methods can vary depending on the service, security requirements and devices used. Some services might not follow industry standards and create their own "security" rules, such as forcing users to change their passwords every three months but limiting them to eight characters. For higher security requirements, some may use dedicated hardware like Yubikeys for the second factor. While computers may not always have biometric authentication, most smartphones do. These factors all influence login methods. However, the fundamental principle remains the same: to judge the security of a login method, check if it uses two different factors.

Let’s play a game to test this principle with real-life examples. Take Substack’s account settings, for instance:

If you follow the advice from earlier in this article and try to enable verification codes for your Substack account to achieve 2FA, Substack will first require you to set up recovery questions. This involves setting several private questions and answers, so if you lose access to your email or the device with the authenticator, you can recover your account by answering these questions.

If you've been paying close attention, you might have already guessed from the earlier screenshot that Substack is one of the few online services where I haven't enabled verification codes. I understand Substack's good intentions, but recovery questions are among the worst login methods because they can easily be compromised through "social engineering". For example, a hacker could simply have a friendly chat with your elderly parents to learn where they met.

The defense of a system is only as strong as its weakest link. Yes, entering a password followed by a verification code adheres to 2FA principles. However, if you can reset your account by answering "private" questions, it's like having a sturdy front door with an iron gate but a security guard who, being overly helpful, will open the door for anyone who dresses neatly and claims to be a friend of the homeowner.

Substack’s product design is very thoughtful, including its login process. They likely considered that many writers might not be well-versed in cybersecurity, so they included recovery questions. While I appreciate the thought behind this, I'd rather stick with a single, 40-character password that includes uppercase and lowercase letters, numbers, and punctuation.

This seems like an easy question, right? Of course, it's single-factor authentication. But hold on—

When you know and remember your password, logging in using only that password relies solely on the "what you know" factor. This is true. However, the password I use for Substack is generated by the password manager Proton Pass. I can't remember it, and I've never even seen it. To enter the password, I rely on Proton Pass, which is installed on my MacBook and Android phone. To access the password, I need to have my MacBook or phone and use fingerprint authentication to unlock the device. From this perspective, although I'm only using a password, I've effectively used the "what you have" and "who you are" factors, making it a form of 2FA?

Should we really understand it this way? Or is it that a single checkpoint inherently means single-factor authentication, and I'm just playing with words to confuse the issue?

Share your thoughts in the comments.

p.s. Just after boasting about never missing a deadline in three years, I struggled to write this week's piece, taking two days to type even a single word. To top it off, my keyboard broke. I barely managed to publish on time. Superstition might be right—touching wood is important.