IMPORTANT: An Extra Layer of Security - Comments Page 1

My biggest concern is using Facebook or Google for a two-step process of any kind. They already collect information on everything you do on their sites and now I'm going to allow them to be part of my two-step authentication?! I try to stay as far away from both of them as possible. I would love to see an alternative or two to these two. I understand the need for this process and even support it. I would simply like to have more choices for this.

It is such a pain when traveling and Gmail or others don't recognize your IP address. Facebook is especially annoying, making you identify people in their pictures. I think I would rather risk it than be locked out of services I need when traveling internationally, which I do often.

Have not heard of this till now. I think it is a very good idea with all the dishonest hackers out there trying to steal their way through life on our backs. Anything that puts a stop to them or slows them down I am all for. Thanks for the info.

Phone and/or phone number? Great idea until your phone is lost/stolen or otherwise compromised and the acquiring party uses your password and acquired phone information (number to gain access. A finger print, iris scan or similar with a biometric check, for live finger and/or eye, might be a better idea.

I use 2FA where it has been offered to me and while it is an extra step I think it is well worth the extra protection. I am hoping that the sites where I already have a username and password will offer 2FA to me at some point with a pop up prompt. I hate the thought of having to search out ever website to see if it has 2FA. I am going to check out the site that you referenced in your article.

I enjoyed this article as I do all of your articles and look forward to lots more.

Thumb prints and retina scans are good ideas. But how can I prove who I am if I lose a thumb or my thumb is badly burned in an accident.

I am a "Free" Lastpass user, don't have a smart phone, which leaves the "Grid". Print the grid and do what with it? Sending text to my feature phone is not an offered option. For me, Free Lastpass doesn't offer 2FA. Sad

I have 2FA enabled on/for several of my online accounts, however, since I regularly clean my browser history and such, those sites don't recognize my computer and ask me to verify myself each time I login anyway. Obviously the "trust this computer" setting doesn't work in this case, at least for me. Apparently the cleanup I do is removing whatever file the 2FA these sites is wanting kept. Oh well.
:o(

Excellent advice, Bob, as always. I activated 2FA a couple of years ago, after I was hacked. I had, mistakenly, thought that it would have been activated by default. It cost me hours of work at the time. I couldn't believe that Yahoo would allow someone in Nigeria to sign in and change all my settings and details. You live and learn!

DiceWare PassPhrase also seems an interesting alternative as another layer of obfuscation. http://world.std.com/~reinhold/diceware.html
Using DiceWare with a different language (e.g., Esperanto) may even be a better alternative. There are others who are touting the use of pencil+paper since the cyber attack/hack on LastPass cloud storage.

@PgmrDude:
I was just signing on to say the same thing. I wipe out cookies and such, and as a result, some sites suffer from CRS (Can't Remember Stuff) when I log back in.
I also don't do texting as of yet, so I am not about to pay verizon a king's ransom for individual texts for the codes. When I end up getting a smartphone, then I'll do the texting and 2FA.

I've been using 2 factor authentication for at least a decade. At work, we got SecurID (yes that "e" between the "r" and the "I" that's how it's spelled), which gives us the "something you have" factor. When logging into our system you are presented asking for the number on the fob. You enter that in. Then you enter your password, 2nd factor. Then there is a screen which takes you to a screen where you enter in your PC's name, then you login to your computer. At first it was a hassle but before that, we had a "calculator" which had a challenge response method. You connect, you get a number, enter that number with your own known passcode then it calculates an number and you enter that in. Much better now.

Hi Bob, here's a Canadian perspective. The Canadian Imperial Bank of Commerce (CIBC) does use 2FA, but limits the 2FA verification process to only certain types of transactions and queries such as changing passwords, "large" transactions, adding payees. I'm not sure why they chose this half-measure. Very puzzling.

Have you heard of SQRL (Secure Quick Reliable Login)? It takes a different approach to authentication. See:

http://sqrl.pl/blog/
(click on "Illustrated Guide" at the top)

https://www.grc.com/sqrl/sqrl.htm
(this is the guy who came up with the system)

It seems like a really great idea but it hasn't gotten any traction in terms of implementations, although there is an Android (client) app at:

https://play.google.com/store/apps/details?id=net.vrallev.android.sqrl

I am a 78 year old neophyte and I'm afraid I don't understand any of this Mumbo Jumbo.I really enjoy you articles but a good deal of it passes right over my head.What do I do?

I am a user of LastPass, I even have the Premium Account. I was surprised, when I read about the hacking attempt, at LastPass. Oh, there was some hacking, but, the layers that LastPass has for security, the hackers did not get any "sensitive" information. Thank goodness, for that.

However, I honestly do think it is time, for LastPass to have Two-Factor Authorization, for the future. It really doesn't make any sense, not to ... Especially, in today's world of the hacker!

Here in the UK because of the use of banking smart cards my bank issues a card reader. You can login to your bank using one and a half factors but if you actually want to do anything (set up direct debits/standing order, pay money's) then you insert your card into the reader, enter your PIN to unlock it, then enter a code from the bank to get a response code required to proceed. No mobiles (which I don't have).

Another great article, Bob...thanks

My concern with biometric log in is what happens when authorized family or friends are trying to access the accounts of deceased individuals.

Passwords can be stored securely with a will, but not biometrics.

Is anything being done for this scenario?

What happens with Google Authenticator when I get a new phone? Or worse still, have my phone stolen?

I saw a few responses that refer to a hacker attack on LastPass. The solution to such attacks is to use a keyring application that encrypts and stores your sensitive information locally (on YOUR device), like Enpass does. Your information is NOT stored on any cloud service, unless you choose to sync to your PERSONAL cloud account (Dropbox, Google Drive, OneDrive, local cloud on a network, etc) - as opposed to something like LastPass' cloud storage, where there are obviously many keyrings to steal.

The program is free for desktop/laptop computers, with a small one-time fee for phones.

FYI, I am not affiliated with Enpass, other than being a satisfied user.