In a prior post, I talked about how your need to up your game in terms of managing and protecting your passwords. In this post, we will talk about the next step in protecting yourself online through two-factor authentication (sometimes referred to as 2FA).
I’m not going to dance around this issue – in addition to a solid password management strategy, you really should be using two-factor authentication whenever possible. This essentially means that in order to access a resource (such as your email or a website) the "first" line of authentication is a password, and an additional and unrelated method is the "second" form of authentication.
Key takeaway: some protection, any protection, using 2FA is better than no protection. In many cases, you won't be able to decide which version of 2FA to use.
Some common examples of 2FA include, in roughly ascending order of security:
- Security questions (example: what was your high school mascot?).
- Sending an email to you with a one-time use code.
- Send a text message to your cell phone with a one-time use code.
- A code generator application.
The security question method has been around for several years. The weakness of this system is that there are a limited number of questions in the world. These types of questions are prone to “social engineering”. For example, “what was your high school mascot?” adds a false sense of security given that this information can be reverse-engineered for most people with a profile on LinkedIn, Facebook, or other social networking sites. In addition, if you have a unique question and answer combinations that you use, and those become compromised, you are vulnerable and may not even realize it. One idea that a friend of mine employs is to use fake personal data, including his birth date, where he went to school, and a whole host of fake questions and answers. He has a good time celebrating his "fake birthday" every year, but I'm honestly not sure how he keeps track of all that fake information.
The email method has numerous weaknesses, including but not limited to the fact that email is itself fairly insecure. Many hacks start with taking over an email account and then doing password resets on websites the bad guys want to break into. If you lose control of your email account, it can be a chaotic process to get control back.
The use of text messages sent to your cell phone has become a popular means of 2FA. While this is a huge improvement over no 2FA at all, know that there are still risks associated with this method. Cell phone accounts have a number of vulnerabilities, the most serious of which is called a “cellphone hijack”. In this scenario, someone uses social engineering to take over your cell phone, and then uses 2FA to access your accounts.
The most secure and widely used method of 2FA is an application that is tied to your identity and then generates a unique and frequently changing number. This is sometimes in the form of a small device you carry with you; companies like RSA SecureID and Symantec VIP Access have been providing this service to corporations for years. This is sometimes in the form of a proprietary application that is tied only to that one service – for example, Yahoo!, Gmail, and Salesforce all have authentication applications tied directly to their service. There are also multipurpose applications that will enable you to use 2FA across a wide spectrum of services. Two of the most widely used examples of this are Google Authenticator and Authy (there are numerous others). The basic premise is that a unique code is generated (and constantly recycled) that is unique to you and your device. It is much harder to hijack this type of 2FA.
There is a 1984 movie called “This Is Spinal Tap”. It was one of the first “spoof documentaries”, and chronicled a hard rock band. There is a memorable scene in which one of the lead characters discusses the amplifiers that they use, which have a unique feature: volume nobs that go to 11 instead of the normal 10.
I realize that it is a goofy clip, from a goofy movie, and may seem inappropriate for a very serious topic. What I'm hoping is that the reference is just memorable enough to drive home this one idea: it is time for you to up the level of your online security. It is time to take it to eleven with 2FA.