More on Two-factor authentication

As I mentioned in a previous post on Two-factor Authentication, no matter how strong you make your password, your best protection for ultimate security is to add an extra layer of security called two-factor authentication.

Recently, in speaking with many of my clients, they are still confused by what this is and how to implement it.  One of the challenges is that there really is no standard for implementation of two-factor authentication across websites.  However, if you do not want to be a victim of many of the stolen passwords we read about in the press every day, I strongly suggest you look into turning on this feature on your favorite websites.

Here are some common questions I’ve received and some tips for implementing two-factor.

Two-factor authentication (2FA) sounds too techie.  What does it really mean?

Two-Factor Authentication is a very secure way to protect your online accounts. It works by requiring you to identify yourself using two different things when you log-in to a site.

1. Something you know – Your Password
2. Something you have – Your Cellphone (or token)

Regularly you use a username and a password to log-in.  With Two-Factor Authentication you would use a username, a password and a token. The token is a unique number that your cellphone generates and is constantly changing. Because only your cellphone can generate that number and only you own the cellphone, even if someone was able to guess or steal your password , with  two-factor authentication enabled, they wouldn’t be able to hack your account without stealing your cellphone too.

For example, recently in the press, there was mention that Russian hackers had stolen 5 million Gmail username and passwords (see CBS News article).   While I was concerned, I had the peace of mind knowing that I had turned on two-factor security for my Gmail accounts.  So if they tried to hack into my account, they would be stopped and asked for a separate code that only I had on my cellphone.

Which apps should I protect with two-factor authentication?

The simple answer is … every app that supports two-factor authentication.  Due to increased consumer awareness of security hacks and stolen passwords, many companies are scrambling to add two factor authentication to their websites.  There is a very comprehensive that shows which websites support two-factor authentication and which method they use to support it.

Major sites like Gmail, Yahoo, Facebook, Dropbox, Evernote, Outlook.com, YouTube, LastPass, PayPal, Google +, LinkedIn, Twitter … and many more … all support some type of two-factor authentication solution.

So, how do I go about implementing two-factor authentication?

First step would be to focus on your most critical and sensitive applications.  For me, it was my banking apps, Gmail, Facebook, LinkedIn and Dropbox.  These were critical to me both for my business and my personal use.

Second, go into the settings of each application, then go to the Security section of the application to see if they support two-factor authentication.   They may not call it by the name two-factor, but you will recognize it because they will offer a “second” method to secure your account.

Each app may implement two-factor authentication differently.  Some may allow you to use a common software token generator like Google Authenticator or Authy (see next section).  Others may offer the ability to send an SMS (or text message) to your cell phone.  Still others will allow both, with a backup option to even call a phone number with the code.

Most apps will also give you backup codes to use, just in case you happen to lose your cell phone.  The backup codes should be kept in a safe secure area (not on post-it notes on your monitor!). Just follow the instructions from the app to set up two-factor.

Then, next time you log in, you will put in your user name and password.  A second screen will come up to ask you to enter a unique code (usually a six digit code).  That code is unique only for that log in.  It will be different each time.  Many apps will allow you to keep logged in for 30 days or so without having to re-enter a new code, but after 30 days, you will be prompted for a new code from your phone.

Smartphone Apps for Two-Factor Authentication

Instead of getting SMS messages to your phone, some applications (like Google, Dropbox, Evernote, LastPass), allow the use of a smartphone application to automatically generate a six digit code for you.  Two of the most popular apps are Google Authenticator and Authy.  Both of these run on most smartphones.

In my previous post, I mentioned that I was using Google Authenticator.  After reading more about two-factor authentication solutions, I decided to use Authy.  With Authy, I can run my two-factor authentication on my smartphone (Android or iPhone), my tablet (Android or iPad) and even in my Chrome browser.  So if I don’t have my phone, I can still generate my 2FA code from other devices.

I mentioned that many website apps will support Google Authenticator and Authy.  The way most of them set it up is by using a QR Code.  When you implement 2FA for the website, a code similar to this will be displayed.  Using the smartphone app, you simply capture the code via your camera on the smartphone and immediately your application is set up for 2FA.  You will notice that a new code is generated every 30 seconds.

Summary

Unfortunately, not every application you use on the web has two-factor authentication implemented, but more and more are being added each day.  In addition, each application may implement two-factor differently.  But there are more and more that are using standard implementations, like SMS or smartphone apps like Google Authenticator or Authy.

No matter what, we highly recommend that you take some time to look at the security settings of each of the major websites that you visit.  Don’t wait until it’s too late for someone to hack into your account and steal your password.   Get peace of mind today and start implementing two-factor authentication for added protection.