The password problem: How to use 2FA for Online security
The password problem:
How to use 2FA
You are one data
breach away from having your entire online life turned upside down. The problem
is passwords, which are hopelessly fragile ways to secure valuable resources.
Don't be lulled
into a false sense of security by the belief that creating a longer, more
complex, harder-to-guess password will somehow make you safer online. You can
create a password that is so long and complex it takes you five minutes to
type, and it will do nothing to protect you if the service where you use that
password stores it improperly and then has their server breached. It regularly
happens.
And even with
reasonable policies in place (complexity, changed regularly, not reused),
people are still the weakest link in the security chain. Social engineering can
convince even intelligent people to enter their credentials on a phishing site
or give them up over the phone.
The solution is
two-factor authentication, or 2FA. (Some services, being sticklers for detail,
call it multi-factor authentication or two-step verification, but 2FA is the
most widely used term, so that's the nomenclature I've chosen to use here.)
Also: Massive
online purchase loss because people can't remember passwords | The
Firefox password manager now tells you when you use leaked
passwords | The Windows 10 security guide: How to protect your
business
A 2019 report
from Microsoft concluded that 2FA works, blocking 99.9% of automated attacks.
If a service provider supports multi-factor authentication, Microsoft
recommends using it, even if it's as simple as SMS-based one-time passwords. A
separate 2019 report from Google offered similar conclusions.
In this article,
I answer some of the most common questions people query about 2FA.
How does 2FA work?
Turning on the 2FA
for a service changes the security requirements and levels as well , forcing
you to provide at least two proofs of identity when accessing a secure service
for the first time on an unknown device. Those two forms of authentication can
come from any combination of at least two of the following elements:
· “Something you know," such as a password or PIN
· “Something you are," such as a fingerprint or other
biometric ID
· “Something you have," such as a trusted smartphone
that can generate or receive confirmation codes, or a hardware-based security
device
For the most
part, the two-factor authentication systems you see in place today use the
first item (your password) and the last item (your smartphone). Smartphones
have become ubiquitous, making them ideal security devices.
Your smartphone
can assist with authentication by providing a unique code that you use along
with your password to sign in. You can acquire that code in one of two ways:
Sent as a text message from the service, or generated by an app installed on
your phone.
If someone tries
to sign in to an account protected by 2FA, they'll need a second proof, such as
the code from an authentication app
If this sign-in
request were from someone who had stolen my Google account credentials, they'd
be stopped dead in their tracks. Without that code, they can't continue the
sign-in process.
Which authentication method is
best?
The best authentication
method is the one you're most comfortable with. Just make sure you have at
least two options, to avoid the risk of being locked out of your account.
I prefer the
option to use an authentication app rather than receiving codes via text message
whenever possible, and so should you, for two good reasons. The first is a
matter of simple logistics. There are times when you have access to the
internet (via a wired connection or Wi-Fi) but can't receive a text message,
because your cellular signal is weak or non-existent, or you're using a
different SIM while traveling.
The most popular
2FA app is Google Authentication, which is available on iOS and Android. But
there are plenty of alternatives; because the process for generating secure
tokens is based on open standards, anyone can write an authenticator app that
performs the same function. In fact, you can use multiple authenticator apps.
It's worth
noting that an authenticator app only requires a data connection during the
initial setup process. After that, everything happens on your device. The
process is governed by a well-accepted standard that uses the Time-based
One-Time Password algorithm (TOTP). That algorithm uses the authenticator app as
a sophisticated calculator that generates codes using the current time on your
device and the shared secret. The online service uses the same secret and its
own timestamp to generate codes that it compares against your entry. Both sides
of the connection can adjust for time-zones without problem, although your
codes will fail if the time on your device is wrong.
How do I know which services
support 2FA?
.
Google accounts,
including both consumer Gmail and business GSuite accounts, offer a wide range
of two-step verification alternatives. All Microsoft accounts, including the
free accounts used with Outlook.com, Xbox, Skype, and other consumer services,
support a variety of authentication options, as do the Azure Active Directory
accounts used with Microsoft's business and enterprise services, including
Microsoft 365 and Office 365.
2FA support is
ubiquitous among social media services (Facebook, Twitter, Instagram, and so
on). Every online storage service worth considering supports 2FA, as do most
domain registrars and web hosting companies. If you're unsure about a specific
service, the best place to check is a superb open source information repository
called the Two Factor Auth List. And if a high-value service you rely on
doesn't support 2FA, well, maybe you should consider switching to one that
does.
Which services should I
protect first?
You probably
have login credentials at dozens of online services that support 2FA, so the
best strategy is to make a prioritized list and work your way through it. I
suggest these priorities:
· Password/identity managers. Using a password manager is
perhaps the most important way to ensure that you have a strong, unique
password for every service, but that also creates a single point of attack.
Adding 2FA shores up that potential weakness. Note that for some password
management software, 2FA support is a paid option.
· Microsoft and Google accounts. If you use services from
either company, adding 2FA support is essential. Fortunately, it's also easy.
· Email accounts. If a bad actor can take over your email
account, they can often wreak havoc, because email messages are a standard
means of sending password reset links. Messages sent from a compromised email
account can also be used to attack your friends and co-workers (by sending
malware-laden attachments, for example). If you use Outlook.com, Exchange
Online, Gmail, or G Suite, your email account uses the identity verification
method associated with your Microsoft or Google account. If you use a different
email service, you'll need to set up 2FA separately.
· Social media accounts. As with email, the biggest risk
associated with a hacked Twitter or Facebook account is that it will be used
against your friends and associates. Even if you're a lurker who rarely posts
anything on social media, you should protect these accounts.
· Banks and financial institutions. Most banks and
credit card companies have made significant investments in back-end fraud
detection programs, which is why 2FA options are typically limited compared
with other categories. Nonetheless, it's worth exploring these settings and
tightening them as much as possible.
· Shopping and online commerce. Any site where you've
saved a credit card number should be secured.
How do I set up 2FA?
Setting up
additional security features for most online services requires minimal
technical skills. If you can use your smartphone's camera, type a six-digit
number, and tap OK in a dialog box, you have all the skills required. The most
difficult part of the job is finding the page that has the relevant settings.
If you're using
SMS messages, all you need to do is associate a mobile phone number with your
account. (You can also use a virtual phone line, such as a Google Voice number,
that can receive SMS messages.) Configure the account to send a code to that
number whenever you sign in on an untrusted device. For example, here's what
this option looks like when enabled on a Twitter account:
To get started
with an authenticator app, you first need to install the app on the mobile
device you want to use as your second authentication factor:
· If you carry an iOS device, you can get the Google
Authenticator app from the App Store. (It's optimized for use on iPhones but
should work on an iPad as well.) On Android devices, install the Google
Authenticator app from the Google Play Store.
· The Microsoft Authenticator app, which uses the same
standard to create authentication tokens, is available for Android devices from
the Google Play Store and for iOS devices from the App Store.
· If you use the LastPass password manager, consider
installing the LastPass Authenticator app, which is designed to work with the
LastPass app on mobile devices and the desktop.
· If you use 1Password as your password manager, 2FA
support is built into the 1Password app on all platforms. For details on how to
use the One-Time Password feature, see this 1Password support page.
After you
install the app for your device, the next step is to set it up to work with
each account where you have enabled 2FA.
Also: Make
your cloud safer: How to enable two-factor authentication for the most popular
cloud services.
The setup
process typically requires that you enter a shared secret (a long text string)
using the mobile app. All of the mobile apps I listed above support using a
smartphone camera to take a picture of a QR code, which contains the shared
secret for your account. That's much easier than entering a complex
alphanumeric string manually.
In your
authenticator app. choose the option to add a new account, choose the bar code
option, aim the smartphone at the bar code on your computer screen, and wait
for the app to fill in the necessary fields.
After you set up
the account in the authenticator app, it begins generating codes based on the
shared secret and the current time. To complete the setup process, enter the
current code from the authenticator app.
Today's security
threats have expanded in scope and seriousness. There can now be millions -- or
even billions -- of dollars at risk when information security isn't handled
properly.
For Google
Authenticator and other no-frills apps, however, you'll need to manually
re-create each account on the new device. Install the authenticator app on your
new device and repeat the setup process for each account you used with your old
phone. Setting up an account on a new authenticator app automatically disables
codes generated by the old device.
Two-factor
authentication will stop most casual attacks dead in their tracks. It's not
perfect, though. A determined attacker who is directly targeting a specific
account might be able to find ways to work around it, especially if he can
hijack the email account used for recovery or redirect phone calls and SMS
messages to a device he controls. But if someone is that determined to break
into your account, you have a bigger problem.
Any questions?
Send me a note or leave a comment below.
Post a Comment