Start using two factor authentication – like yesterday

 

Not a week goes by that we don’t receive a frantic phone call from someone with a compromised account. A bad actor has cracked their email password and sent out thousands of spam emails. Or maybe they have been locked out of their social media account. Each and every time, the person on the other end of the phone is using a simple password- one that they have used for years, one that they use on other sites.  Each one of these phone calls could have been avoid if they would have enabled two-factor authentication for their account.

 

 

What exactly is Two-Factor Authentication?

Two-factor authentication is a verification mechanism to double check that your identity is legitimate.

Let me give you an example. Let’s say you want to log into your Gmail account. You will get prompted with a login box that looks like the one below.

Two-factor authentication works as an extra step in the process, a second layer of security, that will confirm you are really you.

Gmail - login - enter verification code

The purpose is to make the bad player’s life harder. If you already follow basic password hygiene, adding two-factor authentication will make it more difficult for cyber criminals to break into your account.

 

What makes up the two factors?

1. Something that you know – This will normally be a password, but it could also be a pin number or an answer to a question.

2.  Something that you have –  This is always something physical like a mobile phone, a key fob, an ID card or a security token.

3. Something that you are –  This is something biological, like your fingerprint, your voice, face recognition, retina scan.  This type of verification is usually more expensive than the something you own method, although they are extremely unique and hard to crack, unless you are working for the government or a company with some deep pockets you probably won’t be using these methods.  I will add however, that there are some fingerprint devices on the market being utilized by small and medium businesses.  We have a few floating around the office that we use.  It does make logging in much easier than typing in those long passwords!

Why should I activate Two-Factor Authentication?

I guess “because I said so” isn’t going be enough here?  Passwords on their own just aren’t as infallible as we need them to be. Cyber criminals have the power to test billions of password combinations in a second.

What’s even more depressing is that over 65% of people use the same password everywhere.  (That isn’t you, is it?)  That’s like having the same key to unlock your car, house and your safety deposit box.

Security questions use to be the way to go, but those are easy to find out, especially now that most of us post just about everything on our social media accounts.  Give me about ten minutes and I can tell you the year you graduated, the city you grew up and your pet’s first name.

Even if you don’t give this information out on Facebook, some of it can be found out through public records, available for anyone that cares to take the time to go look.

This is where two-factor authentication really comes in handy.  It offers an extra layer of protection, besides a password.  It is harder for the bad people to get the second authentication factor. They would have to also have your cell phone for instance.  This drastically reduces the chances of ruining your day.

Two-factor authentication is a must have for:

  • online banking
  • online shopping (PayPal, Amazon)
  • email (Office 365, Gmail, Hotmail)
  • cloud storage accounts (Dropbox, Box)
  • social media accounts (Facebook, Twitter, Instagram, LinkedIn)
  • communication apps (Skype, Slack)
  • line of business applications
  • any application that offers it – you should be utilizing it

How to get it working…

 

Two-factor authentication using your phone:

One of the most popular methods of two-factor authentication is a mobile phone.  Almost everyone has theirs with them at all times.

In order to verify your identity, you can use a one time code that you receive via a text message (SMS message), or you can generate via an app on your phone.

SMS messages have some pros and cons.  One one hand, it is easy to setup and you don’t need a smartphone to receive a text message.  (Yes, some people still carry around flip phones!)  However, if you travel around a lot or work in places where cell coverage is poor, the delivery of the text message may be delayed, or may not work at all if you are out of coverage.

The SIM card in a phone can also be cloned.  This allows a bad guy to redirect traffic destined to your phone number to a new number.

Mobile apps help defend from this and also allow a better handle if you have multiple accounts setup for two-factor authentication.

Here are a few examples of mobile apps that you can use for two-factor authentication:

  • Microsoft Authenticator
  • Google Authenticator
  • Authy

These are all available on Android or Apple devices and most have browser and desktop versions as well.

Is two-factor authentication un-hackable?

Unfortunately…No.  In the world of computers, there is no fool-proof security system.  That being said, it would take quite a bit for the bad guys to circumvent it.  For example, they would need to gain access to your phone.  Or launch a targeted attack against a web hosting provider manipulating the communication between you and the web server to attack the two-factor authentication itself.  Examples like this have happened, but these are much rarer than the millions upon millions of examples of people getting their passwords cracked that don’t have two-factor authentication enabled.

Having a password and an extra factor authentication does not make your account 100% secure.  It just make it more difficult to breach.  The bad actors out there are attacking the masses and going after the path of least resistance.  The more barriers you put between them and your data, the more likely they are to move on and find someone else who is less protected.  Don’t be that person.  Passwords and security and can be a pain in the butt, however recovering from a breach, or losing your identity to a hacker, is much, much worse.