A strong password is fine and dandy, but you can add a second layer of protection to most of the services we use every day.
When using services such as iCloud, Google, or Hotmail/Outlook.com you may have noticed them asking for your phone number. One reason they ask this is so you can recover your account securely if you lose your password, but additionally it adds another layer of protection.
If you sign in to your account on a new computer or phone, or perhaps you sign in when abroad, they may send a verification code to your phone before you log in.
This process is known as Multi-Factor Authentication. Sometimes it's referred to 2-Factor Authentication or 2-Step Authentication, but for the purposes of this article we'll ignore the distinction between 2FA and MFA and refer to these additional measures as MFA.
Why Multi-Factor Authentication?
Why go to all this hassle of having to get a code from your phone in order to log in?
Essentially, it's another method of verifying that whoever is asking for a login or transaction to happen has authorisation to do so. If some miscreant obtains your password this would stop them in their tracks - because in order to proceed they would need to have not only your password, but your phone (or token device issued by the service) as well.
There are various ways to go about maintaining this layer of security. Some services like HMRC require you to authenticate every time you log in. Others such as Google authenticate only if you log in at another computer, or if the login is somehow different than your normal behaviour (e.g. logging in whilst abroad).
Should I enable Multi-Factor Authentication?
Where it is available, most certainly. It's definitely worth the time investment to set up and honestly, if you have your phone with you all the time, it's a minor inconvenience.
What are the drawbacks?
If the system asks you to verify with your device, you need to have your device with you. That may not be possible for everyone.
If there is a service with a shared login, only one phone number can be associated with the account. But honestly if you have this situation with multiple people sharing an important account, you should look into whether getting individual accounts is possible. This is vital not only for security, but for auditing purposes.
What happens if I lose my phone or change my phone number?
If the multi-factor authentication is tied to your phone number, this means you need it to log in to your account. If you lose this or it is stolen, obviously that raises difficulties.
Some services such as Dropbox give you some printable recover keys that you can print and store in a safe or other secure place. This gives you a set of recovery codes to login with in lieu of your phone.
Otherwise you need to step through the account recovery process with the service provider. Thankfully this is normally easy, but it may take some time to happen if it isn't an automated procedure and very much depends on the service provider.
If you are planning to change your phone, so long as you keep the same number you'll be fine - the SMS will come through as normal on your new device. If you are using a software token app such as Google Authenticator to authenticate rather than SMS, you'll need to log in to each account and set up MFA on Google Authenticator on your new phone before discarding your old device.