Two Factor Authorization – What it is and do you need it?

Few weeks go by where we don’t hear of a serious data breach. Unless directly affected by the news, most people find the report interesting and continue with their day–to–day activities without giving the implications of the news additional thought. But this raises an interesting question: Even if you or someone you know isn’t directly affected by the breach, should you care? The short and simple answer is: YES!

Since the introduction of the personal computer in the 1980s, the role of computing technology in our daily lives has increased dramatically. In fact, most people in US own some form of computing technology, whether a smartphone, a laptop, a phablet, a tablet, or some combination of these devices. With each new form of technology comes opportunities for criminals and hackers to exploit weaknesses. Email scams that entice you to reveal your financial information, attacks that can leave you without your money, or malware that scrambles your computer so that you can’t use it without first paying a ransom are examples of growing technology threats and risks. Just because we read about something in the news, that doesn’t mean it can happen to us, right?

computer-1500929_1280

Wrong! In fact, my wife and I had an account hacked (although we won’t mention which vendor) this past summer. The hacker somehow learned our account information – userID and password – logged in, changed all of the contact information, and then proceeded to make various travel reservations in Germany. Fortunately, I have another layer of security – I receive an email for every credit card transaction in real–time – and noticed transactions that neither my wife nor I initiated. We contacted our bank and the vendor to correct the problem. If we had waited until we had received our monthly billing statements at the end of the month, the damage would have been done and could have been more extensive. We were fortunate; we caught it early.

One way that businesses protect themselves from data theft, intrusion, and other mischief is called Two Factor Authentication or 2FA. Two Factor Authentication is primarily used when logging into an account. It is based on the idea that when you log into your account, you will have two pieces to information. You will have 1) a piece of information that only you should know and 2) a second piece of information that changes frequently that only you will be told. The piece of information you know might not change frequency (such as your password), while the other changes every time you log in or at a frequent interval, such as every 30 seconds. This second piece of information is sent to you through a trusted channel (eg, a secure token, your phone, or a trusted app on your phone). The security behind 2FA is based on the assumption that only you will have both pieces of information at any moment.

computer-767784_1920

Here’s how it works: Let’s say you log into one of your common destinations like Facebook, Google Mail, Amazon.com, or your bank. You generally provide your userID and your password. This represents information you should know. Unfortunately, any criminal or hacker who obtains this information can log into your account just as easily.

Two Factor Authentication requires another piece of information. For example, when you log into an account with 2FA turned on, you will also be prompted for a second code. This code is sent to your smartphone, under the assumption that a hacker thousands of miles away will not have access to this device. Another alternative is to use a smart–key, smart token, or authentication app. These are essentially devices or applications that will provide a secure code that only you should know. And since these codes change every 30-60 seconds, it is unlikely that a hacker would know the next code, even if someone were to obtain your userID and password information.

While it may sound inconvenient to have to receive and enter a second piece of information before you can access the site, the benefit is that it increases the level of difficulty for a criminal or hacker to break into your account. In reality, it is not difficult, painful or inconvenient. You are simply entering another 4 to 6 digits into another field before you can access your account. This translates into a few extra seconds of waiting to log in, and in return you gain an enormous amount of additional protection. This is definitely a good trade–off.

To see if a company or site currently supports 2FA, you can visit twofactorauth.org. Some of the most popular destinations already have 2FA and provide instructions for turning it on. These include: Facebook, Twitter, Dropbox, Google, and Amazon.

In addition to turning on 2FA where it is available, you should consider the following recommendations:

  1. Never click on a URL contained in an unsolicited email and enter your information, because the website could be faked. If it is a legitimate business and you currently do business with them, type in the URL (site web address) on your own.
  2. Never give out your information to anyone who calls you, because they could be faked. I was called once by my bank to inform me that they thought my credit card was hacked and asked for some information. I hung up and called the fraud phone number located on my credit card. In this case the call was legitimate; but you should not assume that it is.
  3. Do not log into your accounts (at least not the important ones) from a common machine (eg, in a library or common area of a dorm), because someone might come along later and gather your information from that computer. While some organizations provides some level of security to help in these cases, not all do.
  4. Don’t reuse the same password, because if a hacker gains your information they have access to all of your accounts where you use the same userID and password. It is a good idea to use a unique password for every site you visit. You can use a password manager like 1Password or LassPass to help you keep track of them.

Two Factor Authentication is not a panacea. On the upside, you significantly reduce the risk of a hacker gaining control of your accounts if you turn on 2FA. This is a tremendous benefit. So as general rule turn on 2FA on sites where its offered, and get comfortable with practices and behaviors that will make your online, web, and mobile activities more safe and secure.

––––

Steve_aes-114Steven B. Bryant is a futurist, researcher, and author who investigates the innovative applications and strategic implications of science and technology on society and business. He is the author of DISRUPTIVE: Rewriting the rules of physics, which is a thought–provoking book that introduces Modern Mechanics, which is a unified model of motion that fundamentally changes how we view modern physics. DISRUPTIVE is available now at Amazon.com, BarnesAndNoble.com, and other booksellers!

Images in the body of the blog are courtesy of Pixabay.com