Two-factor authentication

Posted by on October 27th, 2017 | 0 Comments »

 

If you’ve been putting off enabling two-factor authentication (2FA) on your internet accounts, you shouldn’t. 2FA is one of the simplest and quickest ways to protect your online presence. You need 2FA because it’s just too easy for a hacker or other bad actor to obtain your username and password. The most common method to steal your credentials is a phishing email. If you think you’d never fall for one of these schemes, think again. I personally know very intelligent people who have been victimized. Your credentials can also be stolen by guessing (pick good passwords!), hacking the master password hash database (a la Yahoo), or malware (e.g., a keystroke logger.) One of the worst accounts to get hacked is your email account. Not only does the attacker have access to your email, but he can also reset the passwords to your other online accounts using the forgotten password mechanism that most websites use. Also, a hacked email account can be used to impersonate you or obtain your contacts list.

Many services offer 2FA, such as:

  • Apple ID. Two-factor authentication replaces the older two-step authentication mechanism. You can manually update to the newer mechanism. If you upgrade to iOS 11 or High Sierra, you’ll automatically be switched to two-factor authentication.
  • Gmail*
  • Outlook.com
  • Yahoo email
  • Amazon
  • PayPal
  • Dropbox*
  • Facebook*
  • Twitter
  • Evernote
  • Dashlane*
  • Salesforce*

There are several methods of providing the second authentication factor (something you have) to you. One of the oldest mechanisms is to send you a text message over SMS. This method is vulnerable to hacking. Better methods use a phone app to generate a six-digit code every 30 seconds. This is called a Time Based One-time Password (TOTP). The Google Authenticator app provides a good, free implementation of the TOTP mechanism. 1Password also offers it, at a cost. Note that SMS and TOTP codes can be phished!

There are a couple of newer two-factor mechanisms can aren’t vulnerable to phishing attacks. Google offers Google Prompt, which asks the user if he or she wants to allow the login via the Google mobile app.  No codes are required. Some services (denoted by an asterisk in the list above) offer the FIDO “industrial strength” two-factor mechanism. This is a physical key which performs cryptographic operations. It’s complicated under the hood, but simple to use and very secure.

« Security Through Obscurity
iPhone X first impressions »

No Comments