Despite being available for seven years, less than 10% of Google users have taken advantage of two-factor authentication. This is according to Google engineer Grzegorz Milka, who quoted this figure at a recent tech conference. And yet, two-factor authentication (2FA) is probably the best option today for most people to lock down their online accounts. I’ll tell you why it’s so effective and explain how you set it up.
What is Two-Factor Authentication?
We’re all familiar with entering user ID’s and passwords to log in to a web site. What we’re doing is attempting to prove our identity by providing a secret that supposedly only we know: a password. This is the process of authentication. Generally speaking, we prove our identities using one of the following techniques:
- Something we know: password, PIN code, answers to security questions
- Something we have: badge, drivers license, mobile phone
- Something we are: fingerprint, face or iris scan, DNA, other biometrics
If you use more than one of these to verify someone’s identity, then that would be multi-factor authentication.
Biometrics Are User IDs, Not Passwords
Most people think biometric-based authentication (something you are) is the holy grail. You can’t lose it! You can’t forget it! But you can also never change it (short of a disfiguring accident). You can never be anonymous. And if someone manages to make a viable copy your biometric data, then all your accounts are immediately compromised, forever. You must be able to change your authentication info and have unique info for different uses. And it’s important in many situations to preserve your anonymity, as well. Biometrics fail these tests – they’re really more of a user ID than a password.
Defense In Depth
Having long, strong, unique passwords is crucial and this is still your best primary mechanism for authentication today. This is why we should all be using a password manager like LastPass or 1Password. But all security professionals know that you never want a single point of failure. That is, you want to have defense in depth. If the bad guys somehow manage to hack your password or bypass the password check system, you want a second line of defense. To paraphrase the old saying, two authentication factors are better than one. And if you’re going to have two mechanisms, they should be fundamentally different, requiring a different way to defeat them. Since a password is something you know, we need to add something you are or something you have. Given what we just said about biometrics, the logical choice is the latter.
Doing the Two-Step
The thing that most of us have with us at all times is our cell phone. If we could implant our smartphones in our brains, I think many people would do that. Our phones are also associated with us directly – everyone has a unique number assigned by your provider. So the most common implementation of two-factor authentication uses your cell phone to provide a one-time PIN code. This code is usually a 4- to 6-digit number and it’s only good for a very short period of time. You first log in using your usual ID and password combo, and then you are challenged to provide a second factor: the PIN code. There are two ways that your cell phone can provide this PIN code: receive it via a text message or generate it using an application.
Unfortunately, receiving a text message is not as secure as it should be. First of all, the SMS network can be hacked fairly easily. Second, it’s not all that hard to clone a cellphone. For many services, this is your only option for 2FA, however – and if so, it’s still way better than not using a second factor. So if this is all you have, go for it.
Using an Authenticator App
The best 2FA method for most people is using a special authenticator application on your smartphone. While I like Google Authenticator, it doesn’t back up your codes to the cloud. That means that if you lose your phone or it’s damaged beyond use, you will have no access to your 2FA codes. Without those codes, you’re locked out of your own accounts! (I backed up my iPhone and when I got a new iPhone, the restored Google Authenticator lost most of its accounts. I was not happy.) I recommend Authy, and I would be sure to set up cloud backup.
The basic process goes like this. Go to your account’s security and privacy settings and find the option to enable two-factor (or “multi-factor”) authentication. Select the option to provide a QR code to scan. QR codes look like this:
When the code is visible on the screen, use the authenticator app to scan it. Click the plus (“+”) button to add an account, select the scan option which will bring up the camera, and then point your phone at the QR code on the screen.
Once you scan the code, your authenticator app will start generating one-time-use PIN codes for that site. These codes are usually 6 digits long and they change like every 30 seconds. You will probably have to enter one of these codes to confirm the 2FA setup on that site.
You repeat this for every web site you want to protect with 2FA. Which sites support this? There’s a great web site that keeps track of this: 2fa.directory. You should enable two-factor auth on your email, social media, medical and financial sites that support it.
Security is Rarely Convenient
So from here on, whenever you log in to your site protected with 2FA, you’ll need both your password and a PIN code from your phone. That means you’ll have to have your phone with you in order to log in. Yes, that’s a pain in the butt. But it’s also significantly more secure than using a password alone. We’re used to the hassles of physical security. We lock our houses and cars when we leave them. We hide purses and laptops in the trunk. We lock stuff up in safety deposit boxes that can only be accessed during business hours. It sucks. But we understand the necessity for this and suck it up. Cyberspace is no different.
Note that in most cases, you will only have to do the two-step once for a given computer. You can usually check a box that says “trust this computer”, and when you log in next time, you won’t need a PIN code. Sometimes this only lasts for 30 days, but at least you won’t have to do it all the time.
Two-factor auth can also cause some heartache with desktop applications that don’t support 2FA methods. In this case, you will usually need to generate “app-specific passwords”. Again, you will usually do this on the “privacy and security” section of your online account profile. You generate a special password that is assigned to a particular application – like your mail or calendar program, for example. And instead of entering your regular account password plus a one-time PIN, you’ll use this special password.
Sorry for the bitter dose of reality, folks… but this is where we are now. Just do it. When your favorite service is hacked, you’ll know that you have a second line of defense protecting your precious data, money and reputation.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!