Two-factor authentication is a simple way to secure online accounts

• April 8, 2014
• General

• Comment
• Facebook
• Google+
• Twitter
• Reddit
• LinkedIn

While we stress the importance of creating strong passwords with the use of third-party software, there is still another step you should be taking to add eons of security to your accounts at very little cost to convenience. That step is to add two-factor authentication where you can, which makes you prove that you are yourself in addition to entering the correct password.

What is it?

Using only a password might be considered “one-factor” authentication, because you authenticating (proving you deserve access) in just one way. Usually, you will first enter a password. Then, there will be another task, such as entering a short pin code sent to your personal phone via text message.

When you sign up for a website that uses two-factor authentication or you decide you want to set it up, you may have a few different options for choosing that second level of authentication. The most common is providing your cell phone number. With that, you can just receive a text message that contains a number each time you need to authenticate. The logic here is that a hacker is unlikely to have access to both your passwords and your cell phone. One is typically gained by hacking and the other by physical theft.

Other options exist for the second level of authentication. The most common is using an app such as Google Authenticator, which generates randomized numeric codes much like the ones you would receive via text in the former scheme. One of the key advantages with Google Authenticator is that it works without a cellular plan or any sort of internet connection. You connect it to your account initially and it stays connected. It will generate a new code several times per minute into perpetuity after that. Only the account you’re connecting to knows what the sequence of these codes will be.

Other simple options that are sometimes supported are receiving similar codes via a phone call or email. These are much less common, certainly, so don’t count on them to be present everywhere you want to secure your accounts. Generally speaking, you’ll be choosing between SMS and Google Authenticator/its equivalents. A growing group of websites are supporting second-factor authentication via hardware devices like the Yubikey, which is a USB-enabled key that is unique to you and acts as a sometimes more convenient means for validating your identity.

Why bother?

As mentioned, this puts the onus on hackers or anyone else trying to gain unauthorized access to your data to steal from you twice, with the second instance almost having to be a physical theft. Half of the allure of hacking is that the hacker is in no physical peril; a clever computer wiz can look for the low-hanging fruit on the web and use their personal data for evil purposes. When you add the second factor of authentication, any evildoers will have to find some way to break into your cell phone and read your text messages or watch your Google Authenticator app. If you use something like a Yubikey, they will have to get their hands on that physically.

On the flip side, if you do not have it enabled and somebody steals your password, under some circumstances they could enable two-factor authentication and lock you out of your own account! This is a good reason to make sure you have this set up from the get-go. If not, make sure you have a valid email address and, possibly, phone number as part of your account information so that you have a chance to stop a hacker from pulling this off.

In late 2012, a former Gizmodo blogger saw all of his most important accounts broken into, and with it lost years of precious data as well as access to some of his own devices. In his case, the “hacker” didn’t have to hack anything. They found a few tidbits of personal information floating around on the internet and started making calls. Before all was said and done, they were able to get the last four digits of his credit card from Amazon. After that, they were asked by Apple to prove the blogger’s identity by providing the last four digits of the credit card!

Clearly, some of the services we trust with our data and finances need to buckle up their own security, but there are options to prevent things like this. The easiest would have been to have two-factor authentication enabled. Making this anonymous hacker prove they had physical possession of the blogger’s cell phone or something similar could have snuffed out the entire operation, despite the negligence of the customer service teams at Amazon and Apple. What ended up happening was the hacker gaining access to the blogger’s iCloud account and quite quickly taking his information before wiping his iPhone, iPad, and MacBook Air followed by setting a pin code to prevent him from continuing to use those devices.

Just like that, it was all gone. He didn’t do much to deserve targeting, just like you won’t. It had more to do with the kinds of innocent pieces of information that can appear on the internet without our ability to stop it, followed by a cyber-criminal realizing what he or she could do with it. Usually, you and the larger tech community don’t catch on to these vulnerabilities until somebody, maybe you, has lost out big time. This is where taking easy precautions like two-factor authentication come in play.

If you are worried about something like the story above happening to you, make sure to begin using a password manager to create and store more secure passwords. Use a privacy-oriented web browser or configure your current one, like Firefox, to try to control what data of yours leaks to the public internet and protect yourself from hacking attempts. To avoid losing your data, store your files securely in the cloud while also using an external drive of some sort to keep a physical backup in case someone figures out how to erase your cloud data (or vice versa).

Where can you use two-factor authentication?

Implementation of two-factor authentication is still all over the place. Some web sites you would definitely expect to have it still don’t. Others that you would not expect to have it, do! It can be hard to keep track of. Some of the highlights include:

• Google, Facebook, Twitter, Yahoo, Outlook/Microsoft, iCloud/Apple
• Bank of America, Chase, Discover, HSBC, Paypal
• Dropbox, Box, Evernote, (Google Drive and OneDrive through your respective accounts)
• LastPass

At this point, you can check out TwoFactorAuth.org for an always-up-to-date list of web sites that do and do not offer two-factor authentication along with a listing of which types of second factors they support. It is crowd sourced, so you can update it if you see something that is inaccurate or suggest a new website to add to their listing. They also offer an easy way to formally ask web services to implement the security protocol.

You should enable two-factor authentication wherever you can. Your top priorities should be the places where you would be most hurt if somebody was to access and use/destroy your information. For many people, Google or Apple will be near the top of the list. These tend to be “hubs” for personal information, payments, networking, email, and even cloud storage. You also probably have an online banking or payments service that could use some extra security. Cloud storage is another obvious category if you use one of those and it isn’t connected to your already-secured Google/Apple/Microsoft account.

Featured image by Perspecsys (Flickr).

• privacy

COMMENTS