[SECURITY] Your Password Is Not Enough

Category: Security

If you scanned that headline quickly, you might have read it as 'Your Password Is Not Strong Enough.' The point of today's article is no matter how strong your password, it's not enough to protect you. Some security tips bear repetition. I've been beating the drum for two-factor authentication for several years. I know, it sounds geeky, but it's actually a simple tool that can protect you even if your password is stolen or compromised in a data breach. Here's what you need to know...

What is Two-Factor Authentication?

It goes by many names... Sometimes it's referred to as "2FA," "two-step verification," "login approval," or "enhanced login security." Bottom line, it's a big improvement on the username/password method of gaining access to online accounts. Massive data breaches, often exposing millions of login credentials

Two-factor authentication makes it much more difficult (if not impossible) for someone to hack into your online accounts, even if they have your password. That’s because a password is just one factor used to prove (authenticate) that you are who you say you are. The other authentication factor will be quite different.

A username, such as JSmith419, is who you claim to be. In order to authenticate that claim, you may provide a password which, in theory, only the real JSmith419 knows. That’s one-factor authentication. Two-factor authentication requires two of the following three types of authentication factors:
2FA - Two Factor Authentication

  • Something you know (e.g., a password)
  • Something you have (e.g., a mobile phone)
  • Something that is part of you (e.g., a fingerprint)

Passwords and mobile phones have become the preferred pair of factors for two-factor authentication. To use two-factor authentication methods 1 and 2, you might register your phone number with an online service such as Gmail, Facebook or your bank. Then, each time you enter your username and password, the service sends a text (SMS) message to that phone number, containing a unique one-time code that you must type in to be fully authenticated.

But there are serious vulnerabilities in SMS-based authentication. The SMS protocol was never designed for sensitive communications, so it utterly lacks encryption and other ways of defending against eavesdroppers. (See my article When 2FA Goes Bad.)

You've Got Options

Google and other online services offer 2FA without the insecure SMS requirement. If you turn on this option you’ll need to enter your username/password as usual. You’ll then be prompted for an authentication code before the login can be completed. The code can come from Google Authenticator, an app for your Android or iOS device. This time-sensitive code can be generated even if you’re not online, and you can also print a list of codes for use when you don’t have your phone handy.

The really cool thing about using a two-factor authentication app is that even if a malicious person has your username and password, they cannot login to your account! And no, using Google Authenticator does not give Google access to any of the accounts you use it with. If you prefer to use a non-Google authentication app, check out Authy or the Lastpass Authenticator.

If it sounds like a nuisance to enter both a password and a verification code every time you log in, well, you're right. But most services that offer two-factor authentication give you the option to enter the code once and check a box that says something like "trust this computer." If you do that, you won’t need to enter a verification code each time you sign in with that computer.

Online businesses increasingly urge customers to use two-factor authentication. Some even insist upon it. Their reasons include the skyrocketing frequency of mass thefts of username/password pairs by hackers, and the cost of responding to such breaches. Those costs can include lawsuits, fraudulent transactions that merchants or banks must eat, the cost of notifying affected customers, and even the cost of providing a year’s worth of credit report monitoring. Not to mention the cost of bad publicity and lost customers.

2FA: Step-By-Step

There are a couple of websites developed to encourage and help Internet users enable two-factor authentication on all the sites that offer it. The Turn It On site is chock-full of information about two-factor authentication (abbreviated 2FA). Even better, it provides step-by-step instructions for enabling 2FA on over 100 sites, a list that is growing rapidly. See also TwoFactorAuth.org for a long list of websites that support Two-Factor Authentication.

Amazon, Apple, Facebook, Gmail, Instagram, Outlook, Snapchat, Twitter, and Yahoo are among popular sites offering 2FA. “Turn It On” also documents 2FA procedures for backup and sync services such as Dropbox; financial sites including Chase, Wells Fargo, and Bank of America; cloud computing resources such as Amazon Web Services; communication services such as Skype and Office 365; domain services such as GoDaddy; Web hosting services; government Web sites; Paypal and other payment services; eBay, Etsy, and other shopping sites; and many social media sites.

Another option for two-factor authentication is a gadget called a security key. See my article Are You Ready for Hardware Security Keys? for an explanation of how they work, and some recommended products.

We are all relying on web-based services for an increasing number of functions. As the number of user accounts you have grows, so does your exposure to identity theft and fraud. Two-factor authentication is the best way to protect yourself. It’s worth the small extra effort.

Do you use 2FA? Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 30 Sep 2019


For Fun: Buy Bob a Snickers.

Prev Article:
Free Wifi Hotspots - A Big Risk?

The Top Twenty
Next Article:
Deep Web, Dark Web: What's Out There?

Most recent comments on "[SECURITY] Your Password Is Not Enough"

Posted by:

JimM
30 Sep 2019

2FA is certainly worth the extra time it takes to log in. Only a few of my usual sites are using it at the moment but I expect them to get on board soon. It gives you a more secure feeling when paying bills online.


Posted by:

Barbara
30 Sep 2019

Bob, I am vision-impaired. My 2FA used to call me on my home phone, but now sends a text to that phone, which cannot receive texts. I cannot read texts on my cell. How can I implement 2FA with voice instead of texts? I did not see an option for that on gmail or my bank. Many thanks!


Posted by:

SysOp404
30 Sep 2019

Great article Bob. I'm all in on the two-step verification deal, wherever offered, as it's well worth whatever time it takes, to set up. Any minor aggravation caused to do this, would come nowhere near the problems a security breach could make for us. My personal preference is Google Authenticator, for getting quick, painless entry codes.

I NEVER allow them to be sent by text messaging, to my mobile phone or tablet. It becomes problematic and can actually ADD to the security risk, when being repaired or if they get lost or stolen and someone cracks your access code (or worse yet, if you haven't even set one.)

To STOP companies from sending you texts, simply change how your cellphone is listed with them. Put it under "HOME PHONE" in your profile. (They know many landline phones can't receive texts, so they generally won't bother trying to send an SMS to those.)

If you choose to have the code sent to your e-mail, (which of course, isn't considered secure either), AT LEAST the code won't appear on your phone's lock-screen - as the default setting in "Notifications", often allows for our text messages.

If you insist on allowing codes to be sent via SMS, go into "Notifications" and disallow texts from appearing on your lock-screen. Otherwise, it can be seen, without anyone even bothering to unlock your device.


Posted by:

TommyBe1
30 Sep 2019

I agree Bob, I have 2FA. My master password in LastPass have I create with diceware password generator.


Posted by:

FrancesMC
30 Sep 2019

I see the point of 2FA but the assumption that everyone has a smartphone poses a lot of problems for those of us who don't. And if I don't have one, I can't get a security code.

In the case of one of my bank accounts, the solution is to send it to our landline by making a phone call and giving a number to use. But that poses further problems because I also have a hearing problem and the voice used is not loud enough or distinct enough for me to hear easily. So I'm up the creek without a paddle.

What I would like them to do is use e-mail to send the code. My other bank uses e-mail to send a security code when I do certain things and that works for me. You say that e-mail is not secure but I've never heard of a problem with the security of e-mail.


Posted by:

MartinW
30 Sep 2019

I would LOVE to use 2FA, simply for the security, BUT:
I am currently online on three different computers (with a fourth running screensavers for when I'm bored and need a break). I am on three different sites on them. 2FA could be difficult.
I have several cell phones, used for different purposes (main business, personal, backup). I do not always carry the same one AND my main one gave up the ghost two days ago. I am currently looking for a (cheap)replacement.
Finally, I am poor (yes - all the equipment mentioned is OLD, as am I). Since I have little worth stealing, is 2FA either possible or practical for me?


Posted by:

Neil Remaklus
01 Oct 2019

If your finical institution won't play ball and offer 2FA.
You know what they say, vote with your feet!


Posted by:

Janie
02 Oct 2019

I've tried to use it on sites that offer it, but sometimes I've waited a half hour or more for the code to arrive!!! One time it never arrived. And I've clicked that "trust this computer" box EVERY time on EVERY site and it makes no difference.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.


Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML


Article information: AskBobRankin -- [SECURITY] Your Password Is Not Enough (Posted: 30 Sep 2019)
Source: https://askbobrankin.com/security_your_password_is_not_enough.html
Copyright © 2005 - Bob Rankin - All Rights Reserved