Two-factor authentication (also written as 2FA) provides additional security to websites and applications you log into by adding an additional layer of verification. Along with single-factor login options that require a username and password, two-factor requires an additional step to verify your identity. This usually comes in the form of a numeric code or a link sent via email or text that must be entered before access is granted.
Financial accounts frequently use two-factor authentication, and many internet security experts highly recommend that everyone implement two-factor authentication on these accounts. Some people also implement two-factor authentication on other accounts including their email, social media, and marketing tools.
Two-factor Authentication for Virtual Assistants
As a Virtual Assistant, you want to be aware if your customers are using two-factor authentication with any accounts you will be working with because you will need to coordinate additional communication to make sure that they can send you the access code for you to gain access to complete your work. Two-factor authentication codes usually time out after 10 minutes or so, making the timing of communication between you and the customer critical.
Email Marketing Accounts – Popular Applications for Two-factor Authentication
One of the most common logins where customers use two-factor authentication is their online email newsletter accounts like MailChimp, Active Campaign and Convert Kit. Depending on the level of work and time you'll need to use the application, some clients turn this off for a day or two to give you access or make sure they are available to send you the code for access.
Turning off 2FA for a short period may be acceptable for email newsletter accounts, depending on who has the password access, but is not recommended for financial sites.
Ask About Two-factor Authentication When Onboarding Your Clients
One of the best ways to prepare yourself for two-factor authentication is to ask your customer if they use it during your onboarding discovery call. If you know they are using it, you'll be prepared to coordinate access at times when you are both available and can make sure it is turned off when needed if that is going to be your solution.
Understand that your customer may not be familiar with the term two-factor authentication, so you may need to ask them if any of their accounts require additional codes to login that they are sent via text or email.
Unknown Device Two-factor Authentication
Another place you may run into two-factor authentication, even if a customer hasn't configured it for an account, is when you are logging in for the first time. Some websites and applications require an extra layer of security when they detect a login from an unknown device, IP address, or browser. In this case, they will send an authentication code and once you enter it, you can usually select to remember this device or browser.
This is a situation I frequently find when logging into Amazon from a new location.
Two factor authentication requires an extra layer of confirmation to log into an account. Usually, this is based on a text message or email. By understanding the basics behind Two-factor Authentication and educating your customers on the process, you cement your status as a trusted advisor for the information the customer finds important.
Transcript of Two-factor Authentication What Virtual Assistants Need to Know
Hey everybody, it's Kim Shivler. Welcome. Today we are going to talk about what every virtual assistant needs to know about two-factor authentication. So when you go log into something, think of a website and you enter your username and your password and you've logged in. That's single factor authentication. It took one piece of information to grant you access two-factor authentication, adds another level of security and makes you jump through one more hoop in order to actually log in. So for example, if you have your banking set up, and I recommend if you're using online banking, which pretty much everybody is, that you do set it up this way. If you have it set up where you enter your username and password, and then it sends you a text with a code and you have to enter that code to prove it's really you, that is two-factor authentication.
(01:19): Two-factor Authentication is Highly Recommended for Bank Accounts
I highly recommend it, especially for super secure things like bank accounts, because if you're traveling, and particularly if you travel and you were using a login somewhere that wasn't a hundred percent secure, someone grabs that password from you, they still are not gonna be able to log in unless they, for example, have your phone and then can get the code. So this happened to me once I was traveling on business, and all of a sudden I got a code on my phone. This is your authentication code. So I knew that someone actually actively had my username and my password because it wouldn't have gotten all the way to that authentication if they didn't. But I was able to not have them get in because they didn't have my phone, and they didn't have the code, but had I just been username and password, they would've had full access to my bank account. I then, for security purposes, did log in properly, and changed my password to make sure that that wasn't out there. Sometimes you can change usernames, sometimes you can't, but that's two-factor authentication. And I do recommend using it at least on your financial institutions where someone could get access to your money.
(02:57): If Your Customer Uses Two-factor Authentication, You'll Need to Coordinate the Communication to Access Those Accounts
Now, where does this come in as a virtual assistant? If you are using an account where your customer has two-factor authentication set up, then you are going to have to work with them to where they're gonna be available to give you the code. So depending on how it's configured, sometimes it's a code that's texted or emailed to you, and you have to enter the code. Sometimes it is a link that is emailed to you, and you have to click on the link. There is usually a timeframe, 10 minutes is about the norm. So if you don't use that code in 10 minutes, it's timed out, you can't use it anymore. You would have to get a new code. Where I see it a lot with clients is with their email marketing systems, their Active Campaign, Aweber or this type of thing where they've set up two-factor authentication.
(04:02): Sometimes Two-factor Authentication Can Be Turned Off While You Work on the Account – Not Recommended for Financial Accounts
So your two options really when you're working with a client is either one, they turn off two-factor authentication while they're working with you. (I Don't recommend turning off financial accounts.) They can always turn it back on or you have to coordinate with them where they are going to be able to give you that code so that you can log in and get the access. I don't recommend that they change it to your email address because then sometimes you have to go through hoops to get it changed back, and you may have to approve and that can just get really confusing. It's better to actually turn it off short-term, you know, a couple of days while you're working on it or to, you know, work together so that they can get you the code. But I have seen this happen and it's a good thing to ask someone.
(04:59): Ask Your Clients About Their Accounts During Onboarding – Avoid Surprises and Know What You'll Need for Account Access
So if you are getting them set up on, I'm gonna do this email marketing for you, go ahead and put that on your onboarding list, which are the questions you ask your customer as you're onboarding them, bringing them into work with you. Ask them, do you have two-factor authentication set up? They may not know what that means based on the terminology, but you can explain to them, Hey, do you have it set up where you enter your username and password and it logs you right in? Or do you have to get a code after that to let me in? And then you will know, do you know, you will will be able to explain to them what you know, the situation that you're gonna have to coordinate together, that type of thing. For those of you who've watched my training on using a password protector, such as last pass, where instead of giving someone your password, you can grant them access through the password protector.
(06:02): Using Password Protectors Doesn't Replace Two-factor Authentication
That does not circumvent the two-factor authentication. What that does is it does the single factor, the first factor, which is the username and password. If you have two-factor authentication set up, it's still going to have that same renewal where you have to get a code to enter that. Now let me throw one thing in that happens sometimes is a customer may not have true two-factor authentication set up. How a for security purposes, some websites have it set up to where if you're logging in from a different device, right? So yours is going to be a brand new device logging in, they don't recommend recognize. It could be a different type of browser, very likely is a different IP address because wherever your internet provider is that you're logging in is going to be a different address than wherever they are because that's linked to the location you're coming in from.
(07:12): Some Sites Require Two-factor Authentication When They Detect a New Device Trying to Login
So some sites when they see a new device, will go ahead and force a two-factor authentication. For example, Amazon, whenever I go to log into my prime, if I'm traveling and I'm somewhere different and it doesn't recognize my device, it sends me a code via email or actually, excuse me, via, via text and I have to enter that and I can then choose, remember this device, remember this browser, et cetera. So that is something else to keep in mind. If you go to log in and you get a, a warning like that, reach out to your customer. If they happen to be available with their phone hopefully you can go ahead and get that code and get logged in and set yourself up to be a remembered device. If you can't get ahold of them, you may have to go ahead and email or text them and let them know what's going on and set a time so that they can get the code handed on to you.
(08:18): Coordinating Communication for Access is Important and May Consist of Texts, Emails, or Phone Calls
Sometimes just, this is a great place for text to work, you know, letting someone know, Hey, did you just get a code and they can text that code to you or you know, they can go ahead and you can set up a time and say, Hey, I'm gonna do this. You'll get this code and then they will text it to you. Obviously, whenever we're texting, we want to make sure that we know the name and the phone number we're texting to. Don't be texting codes or calling people and giving codes if you do not know who you're actually talking to because frankly that just
(08:54): Still Have Questions – Ask on the YouTube Channel or Blog
Circumvents the security that you have implemented with this. As always, if you have a question or comment, please leave it either in the comments on the blog post or if you're watching on YouTube, you can put it in the YouTube comments. Any links and other information are always going to be both in the blog post and the YouTube video description. I'm Kim Shivler, I'll see you next time. Bye.