IMPORTANT: An Extra Layer of Security

Category: Security

Some security tips bear repetition. I've been beating the drum for two-factor authentication for several years. I know, it sounds geeky, but it's actually a simple tool that can protect you even if a hacker steals all your passwords. Here's what you need to know...

What is Two-Factor Authentication?

It goes by many names... Sometimes it's referred to as "2FA," "two-step verification," "login approval," or "enhanced login security." Bottom line, it's a big improvement on the username/password method of gaining access to online accounts.

Two-factor authentication makes it much more difficult (if not impossible) for someone to hack into your online accounts, even if they have your password. That’s because a password is just one factor used to prove (authenticate) that you are who you say you are. The other authentication factor will be quite different.

A username, such as JSmith419, is who you claim to be. In order to authenticate that claim, you may provide a password which, in theory, only the real JSmith419 knows. That’s one-factor authentication. Two-factor authentication requires two out the following three types of authentication factors:
2FA - Two Factor Authentication

  • Something you know (e.g., a password)
  • Something you have (e.g., a mobile phone)
  • Something that is part of you (e.g., a fingerprint)

Passwords and mobile phones have become the preferred pair of factors for two-factor authentication. To use two-factor authentication methods 1 and 2, you might register your phone number with an online service such as Gmail, Facebook or your bank. Then, each time you enter your username and password, the service sends a text message (or an automated voice call) to that phone number, containing a unique one-time code that you must type in to be fully authenticated.

You've Got Options

Phones are ubiquitous these days; it doesn’t even have to be a smartphone. If you do have a smartphone, you have the option to use an authentication app such as Google Authenticator to generate the one-time code. With Google (and perhaps other services) you can also print out a list of "backup codes" to be used in situations where you don't have your phone handy.

If it sounds like a nuisance to enter both a password and a verification code every time you log in, well, you're right. But most services that offer two-factor authentication give you the option to enter the code once and check a box that says something like "trust this computer." If you do that, you won’t need to enter a verification code each time you sign in with that computer.

Online businesses increasingly urge customers to use two-factor authentication. Some even insist upon it. Their reasons include the skyrocketing frequency of mass thefts of username/password pairs by hackers, and the cost of responding to such breaches. Those costs can include lawsuits, fraudulent transactions that merchants or banks must eat, the cost of notifying affected customers, and even the cost of providing a year’s worth of credit report monitoring. Not to mention the cost of bad publicity and lost customers.

2FA: Step-By-Step

Earlier this month, a new campaign was launched to encourage and help Internet users to enable two-factor authentication on all the sites that offer it. The “Turn It On” Web site https://www.turnon2fa.com is chock-full of information about two-factor authentication (abbreviated 2FA). Even better, it provides step-by-step instructions for enabling 2FA on over 100 sites, a list that is growing rapidly.

Facebook, Twitter, Apple, Gmail, Outlook.com, and Yahoo are the most popular sites offering 2FA. “Turn It On” also documents 2FA procedures for backup and sync services such as Dropbox; financial sites including Chase, Wells Fargo, and Bank of America; cloud computing resources such as Amazon Web Services; communication services such as Skype and Office 365; domain services such as GoDaddy; Web hosting services; government Web sites; Paypal and other payment services; eBay, Etsy, and other shopping sites; and many social media sites.

We are all relying on cloud-based services for an increasing number of functions. As the number of user accounts you have grows, so does your exposure to identity theft and fraud. Two-factor authentication is the best way to protect yourself. It’s worth the small extra effort.

Do you use 2FA? Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 19 Jun 2015


For Fun: Buy Bob a Snickers.

Prev Article:
Time To Worry About Facial Recognition?

The Top Twenty
Next Article:
Is It Time For 4K TV?

Most recent comments on "IMPORTANT: An Extra Layer of Security"

(See all 22 comments for this article.)

Posted by:

Charles Fisher
19 Jun 2015

Have not heard of this till now. I think it is a very good idea with all the dishonest hackers out there trying to steal their way through life on our backs. Anything that puts a stop to them or slows them down I am all for. Thanks for the info.


Posted by:

Reg
19 Jun 2015

Phone and/or phone number? Great idea until your phone is lost/stolen or otherwise compromised and the acquiring party uses your password and acquired phone information (number to gain access. A finger print, iris scan or similar with a biometric check, for live finger and/or eye, might be a better idea.


Posted by:

Linda Comparillo
19 Jun 2015

I use 2FA where it has been offered to me and while it is an extra step I think it is well worth the extra protection. I am hoping that the sites where I already have a username and password will offer 2FA to me at some point with a pop up prompt. I hate the thought of having to search out ever website to see if it has 2FA. I am going to check out the site that you referenced in your article.

I enjoyed this article as I do all of your articles and look forward to lots more.


Posted by:

Greg Fontenot
19 Jun 2015

Thumb prints and retina scans are good ideas. But how can I prove who I am if I lose a thumb or my thumb is badly burned in an accident.


Posted by:

Jo
19 Jun 2015

I am a "Free" Lastpass user, don't have a smart phone, which leaves the "Grid". Print the grid and do what with it? Sending text to my feature phone is not an offered option. For me, Free Lastpass doesn't offer 2FA. Sad


Posted by:

PgmrDude
19 Jun 2015

I have 2FA enabled on/for several of my online accounts, however, since I regularly clean my browser history and such, those sites don't recognize my computer and ask me to verify myself each time I login anyway. Obviously the "trust this computer" setting doesn't work in this case, at least for me. Apparently the cleanup I do is removing whatever file the 2FA these sites is wanting kept. Oh well.
:o(


Posted by:

IanG
19 Jun 2015

Excellent advice, Bob, as always. I activated 2FA a couple of years ago, after I was hacked. I had, mistakenly, thought that it would have been activated by default. It cost me hours of work at the time. I couldn't believe that Yahoo would allow someone in Nigeria to sign in and change all my settings and details. You live and learn!


Posted by:

RandiO
19 Jun 2015

DiceWare PassPhrase also seems an interesting alternative as another layer of obfuscation. http://world.std.com/~reinhold/diceware.html
Using DiceWare with a different language (e.g., Esperanto) may even be a better alternative. There are others who are touting the use of pencil+paper since the cyber attack/hack on LastPass cloud storage.


Posted by:

Stephen
19 Jun 2015

@PgmrDude:
I was just signing on to say the same thing. I wipe out cookies and such, and as a result, some sites suffer from CRS (Can't Remember Stuff) when I log back in.
I also don't do texting as of yet, so I am not about to pay verizon a king's ransom for individual texts for the codes. When I end up getting a smartphone, then I'll do the texting and 2FA.


Posted by:

ManoaHi
20 Jun 2015

I've been using 2 factor authentication for at least a decade. At work, we got SecurID (yes that "e" between the "r" and the "I" that's how it's spelled), which gives us the "something you have" factor. When logging into our system you are presented asking for the number on the fob. You enter that in. Then you enter your password, 2nd factor. Then there is a screen which takes you to a screen where you enter in your PC's name, then you login to your computer. At first it was a hassle but before that, we had a "calculator" which had a challenge response method. You connect, you get a number, enter that number with your own known passcode then it calculates an number and you enter that in. Much better now.


Posted by:

Warren Ngo
20 Jun 2015

Hi Bob, here's a Canadian perspective. The Canadian Imperial Bank of Commerce (CIBC) does use 2FA, but limits the 2FA verification process to only certain types of transactions and queries such as changing passwords, "large" transactions, adding payees. I'm not sure why they chose this half-measure. Very puzzling.


Posted by:

Ihor Prociuk
20 Jun 2015

Have you heard of SQRL (Secure Quick Reliable Login)? It takes a different approach to authentication. See:

http://sqrl.pl/blog/
(click on "Illustrated Guide" at the top)

https://www.grc.com/sqrl/sqrl.htm
(this is the guy who came up with the system)

It seems like a really great idea but it hasn't gotten any traction in terms of implementations, although there is an Android (client) app at:

https://play.google.com/store/apps/details?id=net.vrallev.android.sqrl


Posted by:

Francis
20 Jun 2015

I am a 78 year old neophyte and I'm afraid I don't understand any of this Mumbo Jumbo.I really enjoy you articles but a good deal of it passes right over my head.What do I do?


Posted by:

MmeMoxie
20 Jun 2015

I am a user of LastPass, I even have the Premium Account. I was surprised, when I read about the hacking attempt, at LastPass. Oh, there was some hacking, but, the layers that LastPass has for security, the hackers did not get any "sensitive" information. Thank goodness, for that.

However, I honestly do think it is time, for LastPass to have Two-Factor Authorization, for the future. It really doesn't make any sense, not to ... Especially, in today's world of the hacker!


Posted by:

Richard
22 Jun 2015

Here in the UK because of the use of banking smart cards my bank issues a card reader. You can login to your bank using one and a half factors but if you actually want to do anything (set up direct debits/standing order, pay money's) then you insert your card into the reader, enter your PIN to unlock it, then enter a code from the bank to get a response code required to proceed. No mobiles (which I don't have).


Posted by:

Lucy
25 Jun 2015

Another great article, Bob...thanks

My concern with biometric log in is what happens when authorized family or friends are trying to access the accounts of deceased individuals.

Passwords can be stored securely with a will, but not biometrics.

Is anything being done for this scenario?


Posted by:

Roger Ward
04 Jul 2015

What happens with Google Authenticator when I get a new phone? Or worse still, have my phone stolen?


Posted by:

Mike
21 Mar 2017

I saw a few responses that refer to a hacker attack on LastPass. The solution to such attacks is to use a keyring application that encrypts and stores your sensitive information locally (on YOUR device), like Enpass does. Your information is NOT stored on any cloud service, unless you choose to sync to your PERSONAL cloud account (Dropbox, Google Drive, OneDrive, local cloud on a network, etc) - as opposed to something like LastPass' cloud storage, where there are obviously many keyrings to steal.

The program is free for desktop/laptop computers, with a small one-time fee for phones.

FYI, I am not affiliated with Enpass, other than being a satisfied user.


Posted by:

Charles
03 Apr 2017

I travel all year long and use a VPN for safety as well as local sim cards on my cell phone. 2FA prevents me from using some of my bank services or paying online using some of my credit cards (Visa verif). They request 2FA as my IP is different but cannot send codes to an unknown cellphone #. Sometimes I have to call home to ask someone to be ready to pick up the verification # sent vocally on that home phone. All 2FA should offer an email option to provide the verification code.


Posted by:

Sharon
25 Jul 2017

Because of where I live, we do not have cell service at home, so I only use a TracPhone when I go to town or drive someplace to get service. That means text messages are basically useless. What would be recommended for me to do to have this type of protection?


There's more reader feedback... See all 22 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- IMPORTANT: An Extra Layer of Security (Posted: 19 Jun 2015)
Source: https://askbobrankin.com/important_an_extra_layer_of_security.html
Copyright © 2005 - Bob Rankin - All Rights Reserved