The Internet can be a scary place. It seems like every day we see a story about identity theft, stolen credit card information, hacked accounts, and the like.
This is by no means an exhaustive article on personal online security, but rather an overview about just another tactic to further protect yourself online. It’s called two-factor authentication.
You probably login to various online services, such as email providers, social networks, etc. with the following information: username and password.
The password is one factor of authentication.
Two-factor authentication is, when you simply introduce another factor into the mix. What’s something that you carry around with you everywhere?
Your cell phone!
With two-factor authentication set up, after successfully inputting your username and password, the online service sends an automated SMS message with a temporary, one-time use code to your phone.
Entering that code will complete the login process, which now provides access to your account.
Depending on your phone is configured and accompanying hardware, it may be possible to only reveal this code upon fingerprint scan, or some other form of biometric screening.
It happens sometimes.
Online services that offer two-factor authentication realize that phones get lost, stolen, dropped in bodies of water, and otherwise rendered inoperable. That means, there are always alternative two-factor login options available.
While these options may differ from service to service, here is how Google handles two-factor authentication when the phone factor fails.
Some other common issues with two-factor authentication can be found on Google’s website.
Pretty much every popular email service, domain registrar, and social network now offers two-factor authentication. Here are a few examples:
Here is a more complete list.
While several popular banks do offer two-step authentication, some may not. Online banking accounts can potentially give hackers access to your entire life savings, which makes this a very unusual omission.
Fortunately, most banks have dedicated fraud departments to detect any unusual account activity, which is the most likely explanation as to why certain banks don’t appear to be too keen on two-factor authentication.
It goes without saying that you should not use the same password across different websites at all, even with two-factor authentication enabled.
It’s incredibly (and unfortunately) common to use the same-password-everywhere technique, which means it’s one of the first things a hacker checks when obtaining one of your passwords.
Outside of going the low tech route of writing them all down on a napkin, you can use a service like 1Password, or open-source password management software such as KeePass.
Some of the most recent highly-publicized “hacks” of individual user’s online accounts don’t involve the “hacker” somehow acquiring the user’s password through brute-force. They involve the “hacker” tricking a company representative into granting them account access over the phone.
Sometimes the target could be a valuable Twitter account, like @N or @mat, although the collateral damage “hackers” cause to acquire those accounts can be devastating.
If you fear you may be a target for a similar social engineering attack, you may want to specify with certain online services that you will never reset your password over the phone, or ask them to not reveal information like the last 4 digits of a credit card, which other online services use for identification. Of course, keep in mind that you won’t able to reset your password over the phone.
Remember, security is only as strong as your weakest link.