[SECURITY] Your Password Is Not Enough

If you scanned that headline quickly, you might have read it as ‘Your Password Is Not Strong Enough.’ The point of today’s article is no matter how strong your password, it’s not enough to protect you. Some security tips bear repetition. I’ve been beating the drum for two-factor authentication for several years. I know, it sounds geeky, but it’s actually a simple tool that can protect you even if your password is stolen or compromised in a data breach. Here’s what you need to know…

What is Two-Factor Authentication?

It goes by many names… Sometimes it’s referred to as “2FA,” “two-step verification,” “login approval,” or “enhanced login security.” Bottom line, it’s a big improvement on the username/password method of gaining access to online accounts. Massive data breaches, often exposing millions of login credentials

Two-factor authentication makes it much more difficult (if not impossible) for someone to hack into your online accounts, even if they have your password. That’s because a password is just one factor used to prove (authenticate) that you are who you say you are. The other authentication factor will be quite different.

A username, such as JSmith419, is who you claim to be. In order to authenticate that claim, you may provide a password which, in theory, only the real JSmith419 knows. That’s one-factor authentication. Two-factor authentication requires two of the following three types of authentication factors:

  • Something you know (e.g., a password)
  • Something you have (e.g., a mobile phone)
  • Something that is part of you (e.g., a fingerprint)

Passwords and mobile phones have become the preferred pair of factors for two-factor authentication. To use two-factor authentication methods 1 and 2, you might register your phone number with an online service such as Gmail, Facebook or your bank. Then, each time you enter your username and password, the service sends a text (SMS) message to that phone number, containing a unique one-time code that you must type in to be fully authenticated.

But there are serious vulnerabilities in SMS-based authentication. The SMS protocol was never designed for sensitive communications, so it utterly lacks encryption and other ways of defending against eavesdroppers.

You’ve Got Options

Google and other online services offer 2FA without the insecure SMS requirement. If you turn on this option you’ll need to enter your username/password as usual. You’ll then be prompted for an authentication code before the login can be completed. The code can come from Google Authenticator, an app for your Android or iOS device. This time-sensitive code can be generated even if you’re not online, and you can also print a list of codes for use when you don’t have your phone handy.

The really cool thing about using a two-factor authentication app is that even if a malicious person has your username and password, they cannot login to your account! And no, using Google Authenticator does not give Google access to any of the accounts you use it with. If you prefer to use a non-Google authentication app, check out Authy or the Lastpass Authenticator.

If it sounds like a nuisance to enter both a password and a verification code every time you log in, well, you’re right. But most services that offer two-factor authentication give you the option to enter the code once and check a box that says something like “trust this computer.” If you do that, you won’t need to enter a verification code each time you sign in with that computer.

Online businesses increasingly urge customers to use two-factor authentication. Some even insist upon it. Their reasons include the skyrocketing frequency of mass thefts of username/password pairs by hackers, and the cost of responding to such breaches. Those costs can include lawsuits, fraudulent transactions that merchants or banks must eat, the cost of notifying affected customers, and even the cost of providing a year’s worth of credit report monitoring. Not to mention the cost of bad publicity and lost customers.

2FA: Step-By-Step

There are a couple of websites developed to encourage and help Internet users enable two-factor authentication on all the sites that offer it. The Turn It On site is chock-full of information about two-factor authentication (abbreviated 2FA). Even better, it provides step-by-step instructions for enabling 2FA on over 100 sites, a list that is growing rapidly. See also TwoFactorAuth.org for a long list of websites that support Two-Factor Authentication.

Amazon, Apple, Facebook, Gmail, Instagram, Outlook, Snapchat, Twitter, and Yahoo are among popular sites offering 2FA. “Turn It On” also documents 2FA procedures for backup and sync services such as Dropbox; financial sites including Chase, Wells Fargo, and Bank of America; cloud computing resources such as Amazon Web Services; communication services such as Skype and Office 365; domain services such as GoDaddy; Web hosting services; government Web sites; Paypal and other payment services; eBay, Etsy, and other shopping sites; and many social media sites.

Another option for two-factor authentication is a gadget called a security key. We are all relying on web-based services for an increasing number of functions. As the number of user accounts you have grows, so does your exposure to identity theft and fraud. Two-factor authentication is the best way to protect yourself. It’s worth the small extra effort.

Have a Great week from all of us at ZI