SECURITY TIP: Two Factor Authentication
Okay, I'll admit this sounds geeky, but it’s important. Two-factor authentication isn’t all that complicated, and it can save your bacon from hackers and identity thieves. Read on to learn more about this online security technique that I'm strongly recommending for PC, Mac and mobile users...
What is Two Factor Authentication?
If you venture beyond your web browser's start page, you’ve probably seen the phrase, “two-factor authentication” by now. Sometimes it's referred to as "two-step verification," "login approval," or "enhanced login security." Bottom line, it's a big improvement on the username/password method of gaining access to online accounts. And it's something you need to know about.
An ever-growing number of Web services providers, large and small, are offering it; Google, Twitter, Facebook, Microsoft, Apple, and online banking sites are just a few examples. What is two-factor authentication (abbreviated 2FA); why do these corporations want you to use it; and when do you really need it?
First, let’s see what one-factor authentication is. You go to a Web site and enter your username and password. That’s two factors of authentication, right? Well, no. Your username is typically public, and is not guarded like a password. What you know (the password) is really only one type of authentication factor.
Two Out of Three Ain't Bad
Ever wonder if someone is looking over your shoulder while you login to Facebook or Gmail at the coffee shop? It happens. But here’s the really cool thing -- with two-factor authentication, it doesn’t matter if someone guesses or steals your password. Let me explain further. Two-factor authentication systems require two out of three things to authenticate you:
- Something you know, such as a PIN or username/password combination
- Something you have, such as a phone, ATM card, or an electronic key fob
- Something that is part of you, such as a fingerprint, retina pattern, or face
2FA is hardly new. ATMs employ it; the card is what you have and the PIN is what you know. Self-service gas pumps require a credit card and the ZIP code of its billing address. But 2FA is new to the online world, and it’s meeting the resistance of laziness.
Many people don’t even want to bother with one-factor authentication. They let their browsers or third-party password-management software store usernames and passwords, and enter them automatically. Of course, that means anyone who uses your Web browser while you’re not looking can get into your online accounts. Password-management software is generally protected against unauthorized use by a single password; if that’s stolen, it’s as if someone stole your key ring with all the keys to everything.
Many Web sites have countered this sloppy security practice by creating Web pages that won’t accept auto-filled passwords; your username may be filled in but you will have to type the password. My bank puts form fields for username and password on separate Web pages, defeating auto-fill. I think we can expect similar enforcement of 2FA if “consumer re-education” doesn’t work.
A recent real-world example of a business failing to use two-factor authentication cost a casino one million dollars. Although it happened in an offline context, their blunder resulted in two men named Kevin Lewis being awarded a huge payout.
Prevention of fraud and litigation is also motivating online businesses to enforce 2FA. Identity theft is rampant and rising; when a merchant is defrauded, he often ends up eating the loss. Lawsuits by consumer victims against business victims seek to shift responsibility from the one who was careless with a password to the one who “should have done more” to protect against fraud.
Tangible 2FA tokens, such as RFID chips and USB dongles, have been tried without success (outside of businesses where security is taken very seriously). Online merchants, banks, and other consumer-oriented businesses are now turning to tokens of pure information delivered via the nigh-universal medium of text messaging.
Your Phone is a Factor
If you sign up for 2FA with such a company, you will have to register a mobile phone number with the firm. Then, when you enter a username and password, a text message containing a PIN or short password will arrive on your phone. Enter that code and you’re in. The phone, which is presumably in your possession, is the second, tangible authentication factor.
Google offers two-step verification for Gmail and other Google services. If you turn this option for Gmail you’ll need to enter your username/password as usual. You’ll then be prompted for an authentication code before the login can be completed. The code comes from Google Authenticator, an app for Android, iOS, and Blackberry devices. This time-sensitive code can be generated even if you’re not online, and you can also print a list of codes for use when you don’t have your phone handy.
Yes, it’s a minor nuisance to enter the code. But you only have to do it once every 30 days, or if you’re logging in from an unfamiliar device or location. Just remember the major benefit: even if someone obtains your password, they won’t be able to login to your account without that verification code. And in order to get the code, they’d also have to steal your mobile phone.
Whatever device you normally use to connect to a Web service may also serve as a second authentication factor. Facebook, for example, will optionally store the IP address, MAC address, and other uniquely identifying data about your usual device. If you attempt to log on from a different device (or geographical location) you may be challenged with additional security questions. Some online banking sites do this as well.
The minor hassle of two-factor authentication is a trivial price to pay for the increased security of your identity and online assets. Get used to it; it’s the next big thing.
Your thoughts are welcome on this topic. Post your comment or question below...
This article was posted by Bob Rankin on 12 Aug 2013
|For Fun: Buy Bob a Snickers.|
Time to Replace Your Power Supply?
The Top Twenty
Geekly Update - 14 August 2013
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- SECURITY TIP: Two Factor Authentication (Posted: 12 Aug 2013)
Copyright © 2005 - Bob Rankin - All Rights Reserved