Keeping the Bad Guys Out of Your Online Life: (Part 2: Two-Factor Authentication)

Keeping the Bad Guys Out of Your Online Life: (Part 2: Two-Factor Authentication)

We looked at using separate passwords for each online account by using a Password Manager in the post Keeping the Bad Guys Out of Your Online Life: (Part 1: Managing your passwords). That task helps with the first of three goals:

  • Goal 1: Don’t allow one compromised account to spread to other accounts, with separate passwords for every account using a password manager

 

Before we head into the second goal, here’s a quick quiz:

  • Which of these is the most important to protect:
    • My Pokémon Go Account
    • My Online Bank Account
    • My Facebook Account
    • My Primary Email Account
    • My Luggage Lock

Hint: My online bank account, while very important, isn’t the most important account on this list to protect!

So, what is the most important to protect?

–> My Primary Email Account!

Surprised?

What can a Bad Guy learn about me with access to my Email account? Perhaps find emails from my bank? Perhaps find all of my other online accounts? Now that the Bad Guy knows where I bank he or she may go to my bank login and click the “Forgot my password” link. My bank will happily send a password reset email to my… email address. If the Bad Guy deletes the email I will never know. As for my bank account: I’ll be out and the Bad Guy will be in. Moreover, the Bad Guy may choose to take control of all of my online accounts, and lock me out of my online life completely. All by getting access to just one account: my email account.

That brings us to the second goal:

  • Goal 2: Don’t allow access to your account even if the password is compromised, with Two Factor Authentication (2FA)

Wait, what? If the Bad Guys get my user ID/email and password, can’t they just login? If that’s the only lock on my online gate, then in they come! My User ID and password can be classified as something I know. When security relies on something I know, it’s easy for someone else to eventually know it too. I need to add something I have into my security solution.

My house, and probably yours, is secured by something I have, usually a physical key. My garage door may be secured by something I know, like a keypad code. These solutions have flaws, but are generally secure because my house is in a single physical spot on the planet. The Bad Guy must physically go there to use the key or code, open my door locks, and get my stuff.

If I only use something I know to lock up my online “stuff”, the Bad Guy doesn’t even need to leave his basement. I also need lock up my online stuff with something I have – a physical thing I can carry in my pocket. Without the physical key (device), the bad guy in the basement is mostly just frustrated and will try for an easier target.

Something I have can be:

  • My Smartphone, which can receive a text message, or use an Authenticator app 
  • A physical electronic key that I insert into my computer 
  • An electronic “dongle” that displays a new code every 60 seconds 
  • An email address (risks and cautions here – see email points above…!).

In all these instances the device I have generates a time limited one time code that is used to confirm that I actually have the device at the moment that I’m trying to login to my account. Usually the code is good for 30 to 60 seconds.

If I’m using this second factor, and the Bad Guy gets my password, they won’t have my Smartphone, electronic key device, or my email account!

Many online services support Two Factor Authentication (partial list):

  • Google (gmail, google drive, etc.)
  • Microsoft (Hotmail, Outlook.com, Onedrive, etc.)
  • Yahoo (Yahoo mail)
  • Apple
  • Most banks (sadly, not all do yet!)
  • Lastpass
  • Dropbox
  • Facebook
  • Amazon

The simplest second factor to use is Text Messaging. Once I have registered and confirmed my mobile phone number with my online account, whenever a login is attempted from a new device (PC, phone, etc.), a text message with a one time code will be sent. I’ll need to enter that code during login to confirm that it is really me.

There are also apps that I can install on my phone:

  • Google Authenticator
  • Microsoft Authenticator
  • LastPass Authenticator
  • Entrust (used by some banks)
  • Others

Most services have various backup methods to use if you primary second factor device is lost or damaged. This is commonly a printed list of One Time Codes. Each of these codes can be used only once and should be kept in a safe place.

Google and Facebook can also prompt for authentication directly on my associated smartphone to make it a little easier. Other services may have similar options.

To find more details and specific instructions you will need to visit your various online accounts. Here are a few places to start:

  • Google
    • Go to myaccount.google.com & login
    • Click Sign-in & security
    • Find the 2-Step Verification link on the page, review and carefully follow-steps
  • Facebook (desktop)
    • Go to Settings
    • Click Security and Login on the left
    • Find Use two-factor authentication on that page
    • While you’re there, look at and set up the other Extra Security options you see
  • Banks
    • All use different methods and tools, but should be easy to find on the bank web page after logging in
  • Microsoft
    • Go to microsoft.com
    • Sign in, or click your account in the upper right corner
    • Click Security on the blue menu bar
    • Click more security options at the bottom of the page

If you pursue these solutions, the first two goals will have solutions in place:

  1. Preventing a compromised account from spreading to other accounts with separate passwords for every account, using a password manager
  2. Preventing access even if the account password is compromised with Two Factor Authentication (2FA)

This can feel daunting to do, but is critically important to protect your online accounts from the Bad Guys wherever they are, and your offline/real life as well. Take it one account at a time and you’ll get there!

Next up: Goal 3: Don’t allow access even if device is lost or stolen, using Encryption

Comments

  • Keeping the Bad Guys Out of Your Online Life: (Part 1: Managing your passwords) – Real Estate & Things: Jeff McClees | Jul 14,2017

    […] Part 2: Two-Factor Authentication (2FA) – Why it matters and how to do it […]

  • Leave a Reply

    Your email address will not be published. Required fields are marked *