You Should Be Using Two-Factor Authentication. Everywhere.

We’re not very good with passwords, although we think we are. According to a recent study by security company CSID, 89% of us think we practice safe password routines. Unfortunately, 1 in 5 of us have had an online account compromised and yet only about half of us change our passwords more frequently than once per year. The best passwords typically utilize a combination of letters, numbers, and punctuation, and the longer they are the better (at least 8 characters). Only 6% of users have passwords that meet these criteria. Even worse, 60% of us reuse the same password for multiple sites. This is a recipe for disaster.

Here’s a quick scenario: Tommy has a forum account on a fan-made music site. The music forum that he visits regularly doesn’t maintain their security patches regularly, and a random hacker manages to hack into the site and steal his password. A simple web search reveals that Tommy works for Company X. Company X uses the Outlook web app, and wouldn’t you know it, Tommy uses the same password everywhere. Through a little trial and error, the hacker discovers that tommy@companyx.com is his work email, and boom, the hacker now has access to Tommy’s work email.

So what is two-factor authentication, and how does it solve this problem? Well, two-factor authentication (2FA) is a multi-stage method of verifying that you are who you say you are. Typically it’s a combination of something you know (a password), and something you have access to (a phone). Most commonly, the second factor of authentication will be a code that you will be sent through a text message or an automated phone call, and it’s only valid for a short period of time. This code will be entered on a secondary screen before you can have access to your account.

Unfortunately a lot of people don’t know what 2FA is – roughly 75% of people surveyed didn’t have a clue. It has also garnered a reputation for being a hassle, which is simply not the case. Most two-factor implementations will allow you to “register” a device as a “trusted device” for a period of time (typically ranging from a day to a month). I know what you’re probably thinking – what if I lose my phone? Then what? Well, the answer to that is “it depends.” Every two-factor implementation has different ways to handle account recovery in the event of a lost device, but this shouldn’t deter you from using 2FA – the benefits outweigh the risks by far.

So where are some common places you should start using two-factor authentication to protect your online accounts? Here’s a list:

  1. Google: Sends a 6 digit text message when you attempt to login from a new device. They also provide a Google Authenticator app for Android, iOS, and BlackBerry that can be used to obtain the second factor authentication codes.
  2. Apple: Sends you a 4-digit code via text message or Find My iPhone notifications when you attempt to log in from a new machine.
  3. Facebook: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  4. Twitter: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  5. PayPal: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  6. Microsoft Accounts: Sends you a 7-digit code via text message or email when you attempt to log in from a new machine.
  7. Yahoo! Mail: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  8. LinkedIn: Sends you a 6-digit code via text message when you attempt to log in from a new machine.
  9. WordPress: Utilizes the Google 2FA app.

For a more complete list of companies and products that support two-factor authentication, please review Evan Hahn’s list. Ask your local security or IT professional if your organization could benefit from using 2FA for email or work accounts. There are also ways to implement two-factor authentication into your own custom applications and web sites.

Passwords are becoming less secure all the time, and hackers are getting better at cracking them (check out the strength of your password). Enabling two-factor authentication provides an extra layer of security at a negligible cost. Protect your financial accounts, identity, and your career by using it wherever you can.

Advertisements

Safeguarding Your Data

Many of us deal with sensitive information on a daily basis. Whether that’s financial accounts, healthcare records, social security numbers, or trade secrets (to name a few), it’s imperative that we take precautions to safeguard this data as best we can. I’m going to share a few free or low-cost options that can better accomplish this.

1. Secure Your Smartphone

A lot of damage could be done if your phone falls into the wrong hands. I’d guess that a majority of us have our e-mail accounts configured on our phones in addition to a decent list of contacts. It would be easy enough for someone to impersonate you by sending a text message or e-mail, potentially gaining access to sensitive information. Minimally, you should make sure your phone is protected with a PIN or password. This should buy you enough time to change passwords and/or let people know that your phone has been lost. A better option would be to enable a Remote Wipe utility on your phone, that allows you to factory reset your phone and wipe away any important data. This article offers a good smartphone protection synopsis.

2. Encrypt Your Hard Drive 

If you use a laptop for work purposes, I strongly suggest that you encrypt your hard drive. It’s a lot simpler to accomplish than it sounds and it provides a great peace of mind for you, your company, and, potentially, your customers. Why take the chance that your sensitive data could be compromised so easily? The EFF outlines a few different encryption options.

 3. Don’t Overreact to E-mails

Phishers and scammers love to prey on your emotions. A popular ploy is to send an e-mail claiming that there has been a security breach and that you need to verify your current credentials and then change your current password. Often, this e-mail will include a link to a fake site that asks for authentication. If you’re not careful and react too quickly to a scam such as this, your entire network could be compromised. It’s best to take a second and ask around first and/or call your security personnel directly and verify the e-mail.

 4. Use a Password Manager

Ahh, password security. You know the drill. Create a secure password, usually with a mix of symbols, upper and lower case letters, and numbers. Oh, and don’t re-use passwords. Oh, and change your password for every account every X days. Make it easy on yourself, and ensure that you’re taking proper precautions to safeguard all of your accounts in the event that one of them gets compromised. An easy way to manage this is to install a password management utility. Most of them work the same way; create one ultra-secure passphrase that opens the utility, then copy and paste the specific password for the account you’re accessing. Once again, this sounds more complicated than it is in practice.

5. Enable 2-Factor Authentication for Gmail

If you have a Gmail account that you use for e-mail, consider enabling 2-factor authentication. It’s a free option that Google provides that allows you to add an additional layer of security to your account. In addition to username and password, you’ll be sent an additional token code (by voice or text message) that you’ll have to enter to verify your identity. If you’d prefer to not enter a token every time you authenticate, there’s an option to designate trusted computers instead. Google outlines their 2-factor authentication options on their support site.