Friday, September 05, 2014

You Should Really Enable Two Factor Authentication

To your standard user, when you access a website you create a login and password combination for verification of your id.  The login name (also referred to as a username) is typically either a unique name or an email address.

At first thought, one would think that creating a login and having a user set their password should be sufficient security, even considering that a lot of sites have a minimum set of standards for their passwords (ie:  Length, types of characters required, frequency of those characters, etc).  Unfortunately this is incredibly far from the truth.

As we all know, the number of logins and password combinations that the average user has created could be anywhere from a dozen or two, all the way up into what some consider an astronomical number (depending on the number of sites they have accounts on).  The problem most people run into is that they don't want to have to remember all of those passwords, so they use one common password across all of their sites.  While this is great for them, the problem is, is that once an intruder has your password on one site, they will save it for use elsewhere as a 'just-in-case'.

You can now see the inherent vulnerability in this.  Sorry for the digression, but I felt it necessary to get across my point for the need for another, added layer of security that is very difficult to circumvent.  Two Factor Authentication.

 To quickly sum up the gist of what Two Factor Auth is (referred to after this as TFA), it is an added layer of security on an account, typically by way of login verification.  This verification is usually in the form of either an sms (text message) with a code that the application will then prompt you for (and not continue the login unless the correct code is entered), or via an application produced verification code.  The later, application produced verification code, is used by things like Facebook, where the application on your phone will have an option for a security code.  It will display a code that has been synced with the Facebook servers.

What happens when you login is:
  • You log in to the application on your computer using your login and password
  • You are then prompted for the security code. 
  • You then grab your phone, open the application, click to the security code page in the app and enter the code in to the waiting box in the browser.
If all was entered correctly you are granted access to the application.  What's nice is that the potential intruders may have been able to steal your credentials from the Facebook servers (hypothetically of course), but they would not have your phone with the verification code.  So, even if they try, they will not be able to gain access to your account.

There are a number of sites today that offer TFA in order to protect their users, and the number grows every day.  There is even another page that list sites and the links to the page on each site to enable TFA.  Lifehacker also put up a page on TFA that gives a nice overview of how some of the bigger names have implemented it.  I just hope that those that do not currently offer it are smart enough to know of the benefits and actually implement it before it is too late. 

If you do not yet use TFA, please look into doing so.  While it does add a little bit of action on your part to implement it and use it, that little bit of time is well worth not having your personal and private information stolen and sold.  It is all of our responsibilities to make sure we protect ourselves, not assume that someone is going to do it for us. 

No comments:

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.