Jake Intel

Leland Fiegel

Securing Your Online Life: Two-Factor Authentication

  • By Leland Fiegel
  • February 24, 2014
  • General

The Internet can be a scary place. It seems like every day we see a story about identity theft, stolen credit card information, hacked accounts, and the like.

This is by no means an exhaustive article on personal online security, but rather an overview about just another tactic to further protect yourself online. It’s called two-factor authentication.

What is two-factor authentication?

You probably login to various online services, such as email providers, social networks, etc. with the following information: username and password.

The password is one factor of authentication.

Two-factor authentication is, when you simply introduce another factor into the mix. What’s something that you carry around with you everywhere?

Your cell phone!

With two-factor authentication set up, after successfully inputting your username and password, the online service sends an automated SMS message with a temporary, one-time use code to your phone.

Entering that code will complete the login process, which now provides access to your account.

Depending on your phone is configured and accompanying hardware, it may be possible to only reveal this code upon fingerprint scan, or some other form of biometric screening.

What if my phone is lost or stolen?

It happens sometimes.

Online services that offer two-factor authentication realize that phones get lost, stolen, dropped in bodies of water, and otherwise rendered inoperable. That means, there are always alternative two-factor login options available.

While these options may differ from service to service, here is how Google handles two-factor authentication when the phone factor fails.

  • Printable, one-time use codes. Google recommends keeping these in your wallet. However, if you’re robbed and your wallet AND phone are stolen, I recommend you keep these in a safe place, but separate from your phone.
  • Trusted computers. Google offers you the option of “trusting” a computer, which means you can login with your username and password without having to go through the two-step process each time. This should always be a computer that you, and only you, can access. Otherwise, you can’t really “trust” it. Remember, don’t trust any computers in a library. Or an Internet café. Those types of public computers tend to be cesspools for spyware anyway.
  • Get a new phone with the same number. This may be easier said than done, depending on your carrier. And you’ll probably want to keep your number for other reasons, too.

Some other common issues with two-factor authentication can be found on Google’s website.

Where can I set up two-factor authentication?

Pretty much every popular email service, domain registrar, and social network now offers two-factor authentication. Here are a few examples:

  • Google
  • Yahoo
  • Facebook
  • Twitter
  • LinkedIn
  • GoDaddy
  • NameCheap
  • PayPal

Here is a more complete list.

While several popular banks do offer two-step authentication, some may not. Online banking accounts can potentially give hackers access to your entire life savings, which makes this a very unusual omission.

Fortunately, most banks have dedicated fraud departments to detect any unusual account activity, which is the most likely explanation as to why certain banks don’t appear to be too keen on two-factor authentication.

How do I manage all these passwords?

It goes without saying that you should not use the same password across different websites at all, even with two-factor authentication enabled.

It’s incredibly (and unfortunately) common to use the same-password-everywhere technique, which means it’s one of the first things a hacker checks when obtaining one of your passwords.

Outside of going the low tech route of writing them all down on a napkin, you can use a service like 1Password, or open-source password management software such as KeePass.

When 2FA doesn’t matter

Some of the most recent highly-publicized “hacks” of individual user’s online accounts don’t involve the “hacker” somehow acquiring the user’s password through brute-force. They involve the “hacker” tricking a company representative into granting them account access over the phone.

Sometimes the target could be a valuable Twitter account, like @N or @mat, although the collateral damage “hackers” cause to acquire those accounts can be devastating.

If you fear you may be a target for a similar social engineering attack, you may want to specify with certain online services that you will never reset your password over the phone, or ask them to not reveal information like the last 4 digits of a credit card, which other online services use for identification. Of course, keep in mind that you won’t able to reset your password over the phone.

Remember, security is only as strong as your weakest link.