We looked at using separate passwords for each online account by using a Password Manager in the post Keeping the Bad Guys Out of Your Online Life: (Part 1: Managing your passwords). That task helps with the first of three goals:
Before we head into the second goal, here’s a quick quiz:
Hint: My online bank account, while very important, isn’t the most important account on this list to protect!
So, what is the most important to protect?
–> My Primary Email Account!
Surprised?
What can a Bad Guy learn about me with access to my Email account? Perhaps find emails from my bank? Perhaps find all of my other online accounts? Now that the Bad Guy knows where I bank he or she may go to my bank login and click the “Forgot my password” link. My bank will happily send a password reset email to my… email address. If the Bad Guy deletes the email I will never know. As for my bank account: I’ll be out and the Bad Guy will be in. Moreover, the Bad Guy may choose to take control of all of my online accounts, and lock me out of my online life completely. All by getting access to just one account: my email account.
That brings us to the second goal:
Wait, what? If the Bad Guys get my user ID/email and password, can’t they just login? If that’s the only lock on my online gate, then in they come! My User ID and password can be classified as something I know. When security relies on something I know, it’s easy for someone else to eventually know it too. I need to add something I have into my security solution.
My house, and probably yours, is secured by something I have, usually a physical key. My garage door may be secured by something I know, like a keypad code. These solutions have flaws, but are generally secure because my house is in a single physical spot on the planet. The Bad Guy must physically go there to use the key or code, open my door locks, and get my stuff.
If I only use something I know to lock up my online “stuff”, the Bad Guy doesn’t even need to leave his basement. I also need lock up my online stuff with something I have – a physical thing I can carry in my pocket. Without the physical key (device), the bad guy in the basement is mostly just frustrated and will try for an easier target.
Something I have can be:
In all these instances the device I have generates a time limited one time code that is used to confirm that I actually have the device at the moment that I’m trying to login to my account. Usually the code is good for 30 to 60 seconds.
If I’m using this second factor, and the Bad Guy gets my password, they won’t have my Smartphone, electronic key device, or my email account!
Many online services support Two Factor Authentication (partial list):
The simplest second factor to use is Text Messaging. Once I have registered and confirmed my mobile phone number with my online account, whenever a login is attempted from a new device (PC, phone, etc.), a text message with a one time code will be sent. I’ll need to enter that code during login to confirm that it is really me.
There are also apps that I can install on my phone:
Most services have various backup methods to use if you primary second factor device is lost or damaged. This is commonly a printed list of One Time Codes. Each of these codes can be used only once and should be kept in a safe place.
Google and Facebook can also prompt for authentication directly on my associated smartphone to make it a little easier. Other services may have similar options.
To find more details and specific instructions you will need to visit your various online accounts. Here are a few places to start:
If you pursue these solutions, the first two goals will have solutions in place:
This can feel daunting to do, but is critically important to protect your online accounts from the Bad Guys wherever they are, and your offline/real life as well. Take it one account at a time and you’ll get there!
Next up: Goal 3: Don’t allow access even if device is lost or stolen, using Encryption
Keeping the Bad Guys Out of Your Online Life: (Part 1: Managing your passwords) – Real Estate & Things: Jeff McClees | Jul 14,2017
[…] Part 2: Two-Factor Authentication (2FA) – Why it matters and how to do it […]