Managing identities is crucial in today’s volatile information security environment. And two-factor authentication has become an industry standard for secure logins. However, to take advantage of this security feature, you must know understand what it is and how to set up two-factor authentication correctly.
The Importance of Authentication
Security breaches happen every day. For companies like Target, eBay and Yahoo that have experienced a breach, hackers stole customers’ personal, login or financial information.
If you’ve experienced a breach, you understand the chaos that ensues: You receive frantic emails to change your login credentials or password and worry whether your information is safe. It’s important to have solid authentication systems during times like these.
Because breaches occur more often than ever, it’s important to have complex passwords and unique login credentials for all your websites. We talk about this in our blog, “Why you need to setup password restrictions.”
It’s also important to have two-factor authentication, which adds another layer of security to your accounts.
What Is Two-Factor Authentication?
One-factor authentication asks you to prove your identity with a username and password. Two-factor authentication is an additional security measure that protects your personal information by requiring a username, password and an additional factor. This is usually your phone number.
For example, a two-factor authentication system first asks you to enter your username and password as usual. Then, it asks for a smartphone number. Within seconds, an authentication code is sent to your phone via call or text. Upon receipt, you enter this code into the system to gain access to your account.
You can also download an app that generates a new code every 60 seconds and links to any account. This acts as an added security measure to keep hackers out. We’ll discuss this form of authentication later.
Is It Worth Your Time?
Adding two-factor authentication is a simple way to secure your data. Let’s say LinkedIn is hacked, and the infiltrators obtain your username and password. If you have two-factor authentication, they won’t be able to get into your account unless they have access to your phone.
Adding an additional factor to the authentication process is also helpful if you use the same username and password for every website. We advise against this in our other blog but understand it happens. If you use the same login credentials for all sites, but also have two-factor authentication for each, hackers won’t be able to access all your accounts just by knowing two pieces of information.
How to Set Up Two-Factor Authentication
At this point, you might be thinking: Sounds great, but how to I set up two-factor authentication?
First off, DON’T hunt for two-factor authentication instructions on every website you have an account with. Instead, use TurnOn2FA. This website gives detailed instructions and screenshots for setting up two-factor authentications on over 100+ websites.
We recommend setting up two-factor authentication on accounts that have your valuable information first. This includes sites like Dropbox that store your social security, email, credit card, bank account, etc.
Now that you understand the basics of two-factor authentication, let’s go over the different forms.
Forms of Two-Factor Authentication
Two-factor authentication is offered in multiple forms including SMS codes (text message), email codes, authenticator apps and more. We will review the most popular two-factor authentication options below.
SMS Codes
What are they?
SMS Codes are standard authentication codes sent to your phone via text message every time you log in to a site.
Risks:
- Hackers can intercept codes before they are sent to your phone.
- The SIM card in your phone can be duplicated, allowing hackers to receive your authentication codes.
- Hackers can contact your cell phone provider and coerce them into transferring your phone number to a different device. This gives them complete control of your phone and any authentication codes sent to it.
Recently SMS codes have come under scrutiny for being an old protocol. While it is not the most secure option, it is better than nothing. Over time companies will move away from SMS toward more secure methods.
Email Codes
What are they?
Some services have the option to send an authorization code to your email. It’s the same an SMS code but sent to your email vs. your phone number.
Risks:
- If your email provider does not do a good job protecting your security, hackers can easily access to your email account and directly acquire your two-factor authentication codes.
- Another concern with email is the number of devices that have access to your email accounts. Most people are potentially logged into their email on a cell phone, tablet, laptop, and desktop. If someone steals your tablet or gains access to an old app that has access to your inbox they may be able to login to your accounts using that email as a second factor.
In conclusion, using something that you access via multiple devices to send authentication codes to is probably not the best option.
Authenticator Apps
What are they?
There are multiple authenticator applications on the market including Google Authenticator, Authy, Duo, and many others. When you setup an account, a secure key is created and shared with your phone applications via a QR code. The key is then encrypted on both ends to create a new code every 30 seconds or so.
Risks:
- A minor risk of these third-party apps is they allow you to sync across multiple devices. This potentially gives a hacker the opportunity to gain control of a device you are not watching.
- An attacker could hack the authentication service to gain access to the user’s keys.
Aside from the ones mentioned above, there are a few other types of two-factor authentication, though they’re far less popular.
For example, phone call codes are similar to SMS codes, just transmitted over a call. Hardware keys are another type. With these, an authentication code either changes frequently or connects to your device via USB.
Enabling two-factor authentication isn’t a surefire way to prevent a security issue, but it’s extremely helpful.
As Temecula Valley’s #1 IT support managed services provider, we would be happy to answer any additional questions you have about two-factor authentication. Email or give us a call today.
