Every day we hear about people’s online accounts getting hacked, whether it’s social media, email or a cloud storage service like Dropbox. High profile celebrities, athletes, politicians, and business leaders are frequently targeted, but the reality is we’re all at risk.
Many people use the same password everywhere — this is like having the same key for your house and your car, and people knowing your address.
You may think you have a strong password, but this alone isn’t robust — cyber attackers have the power to test billions of password combinations in seconds with brute force techniques. Social engineering is another remarkably effective tactic for gaining access to online accounts. Answers to security questions are also quite easy to find out. With a bit of research, it’s not hard to find out the city you were born in, your mother’s maiden name, or the name of your first pet.
Two factor authentication (2FA) is one of the most effective, yet often overlooked security measures you can use to keep your accounts safe. 2FA is free, easy to set up, and is available for most online services these days.
What is two factor authentication?
2FA requires the user to have two out of three types of credentials before being able to access an account. The three types are:
- Something you know, such as a personal identification number (PIN), password or a pattern
- Something you have, such as an ATM card, phone, or fob
- Something you are, such as a biometric like a fingerprint or voice print
Mobile 2FA, where smartphones serve as ‘something you have’, provides users a one-time-valid, dynamic passcode typically consisting of six to eight digits. The code can be sent to their mobile device by SMS or via an authenticator app. The advantage of this method is that there is no need for an additional, dedicated token, as users tend to carry their mobile devices around at all times anyway.
Some professional two-factor authentication solutions also ensure that there is always a valid passcode available for users. If one has already used a sequence of digits (passcode), this is automatically deleted and the system sends a new code to the mobile device. And if the new code is not entered within a specified time limit, the system automatically replaces it. This ensures that no old, already used codes are left on mobile devices. For added security, it is possible to specify how many incorrect entries are permitted before the system blocks access.
Security of the mobile-delivered security tokens fully depends on the mobile operator’s operational security and can be easily breached by wiretapping or SIM cloning by national security agencies.
Services such as Google, Dropbox, Evernote, Amazon, Slack, and LastPass all support secure token generation via your chosen 2FA app, as well as an option for SMS if this is your preference. However, some services like LinkedIn, Box, and PayPal only provide SMS 2FA, and do not support 2FA apps.
I prefer the authenticator app option for a few reasons:
1) They’re more secure — text messages can be intercepted by man in the middle attacks, and SIM cards can be cloned or spoofed. Also, if you like accessing your text messages on your desktop using a tool like Pushbullet, your codes can potentially be accessed by someone else unbeknownst to you. Funnily enough, banks still tend to use SMS authentication — not sure why.
2) Tools like Authy are cross platform — you can access it on your smartphone or tablet, as well as via a Chrome extension. It needs to be authorised on each new device, and protects your codes with a pin number or password.
3) Authenticator app codes change every 30 seconds whereas SMS codes are good for up to five minutes. A faster rotation means there’s less time for someone to enter the correct code and access your account.
4) Text messages can be delayed, and rely on two things beyond your control:
The SMS gateway service that generates and sends the code.Your carrier service delivering the code to your device.
If there’s an issue with either, you will have to wait until you can access your account. Authentication apps generate codes all the time, even with no network connection.
Setting up 2FA
You don’t have to be massively tech savvy to configure two-factor authentication on any of your accounts. For most services, it’s all pretty easy and straightforward.
My preference is Authy, but you can also use Google Authenticator, or LastPass Authenticator.
Go to the Security section of your chosen service. This is normally where you change passwords and contact information.
Look for where it says ‘Enable two-factor authentication’ or something similar.
Depending on the service and options, you’ll now be able to select whether you want to use a 2FA app or get your codes via text message.
If you prefer an app like I do, once you’ve selected this method, you’ll be prompted to scan a QR code using the app you’ve chosen. Once you’ve scanned this, you’ll see the name of your account and a code with a timer. Enter the code where requested on your screen — do this before the countdown expires. If the numbers change halfway through, just wait for your new code and try again.
Once you’ve done this and submitted it, the service should advise if it’s been done successfully.
You’re now all set.
Similar process to the above, except instead of scanning a QR code, you enter your mobile number and wait for an authentication code to arrive via SMS. Enter this when prompted, and wait for the successfully completed message on your screen.
Two-factor authentication — like any cyber security measure — is not bulletproof, and as it becomes more commonplace, it’s more likely that attacks will be more successful against it. Such is the nature of computer security. This being said, it definitely improves your chances of keeping your accounts secure.
We’re already seeing more promising forms of 2FA emerge, such as biometric technology — fingerprint, facial, and voice recognition. Time will tell how effective this is.
Content marketer, blogger, author and tech geek.