Secure logins: two-factor authentication
We all want data security - and sometimes you need to change your habits for it. I already wrote about strong passwords and how to detect phishing attempts so today's article is about secure logins. Two-factor authentication may sound like a bureaucrat's wet drean but it does wonders for the security of your user accounts, even when your login credentials have already been stolen!
Once others use our credentials to log into Google, Microsoft, Dropbox, Amazon, Apple, Facebook, Twitter and other accounts, there's plenty of room for abuse. At worst, we'll be to our ears in debt because someone went on a shopping spree or the police suddenly turn up at our doorstep because a crime was committed in our name. This is a realistic scenario thanks to trojans, phishing or hacked company servers that store your data. That's why it's all the more important to take additional security measures and two-factor authentication is one of them.
It means that, along with your user name and password, you'll also need to enter a code you received on your cellphone on a case-by-case basis to further prove your identity. This approach effectively locks out anyone who manages to steal your user name and password. You'll need to enable this feature individually for each of your services. Here's how!
1. Log into the affected service with your user name and password.
2. Access your account settings and look for something like "Login settings", "Security" or "Authentication". Each service provider uses different labels, Google calls it "Sign-in & security".
3. Look for an entry similar to "2-step verification" or "Two-Step Verification" and enable this feature.
4. Unless already available, your service provider will now require you to enter your cellphone number.
5. You will then receive a confirmation SMS with a security code. Simply type in your code on your computer and you're good to go. From now on, your cellphone will be part of the login process.
All future logins will now require you to input a code along with your user name and password. It's one more link in your security chain that makes all the difference. Identity thieves that get hold of your login credentials will be permanently locked out. No cellphone, no access, it's that simple! In case you consider the extra step of entering a code for each login too laborious, some providers such as Google allow you to specify secure machines (Add trusted computer) that won't require the code for logins. This way, only login attempts from new and unknown computers will prompt for a code and you won't have to search for your cellphone first when you log into your account at home. But what about vacations or places that don't offer cellphone connectivity? Service providers have you got you covered here, too.
Not only can you receive codes via SMS but you can also generate offline codes for later use through special apps like Google Authenticator. Most providers furthermore allow you to add alternative phone numbers or create USB-based authentication keys so that you'll only need to plug in the drive later to pass the extra authentication step. I consider carrying a flash drive around too tedious but some love this approach. If you're a fan of paper-based solutions or prefer a more traditional approach, you'll be delighted to hear you can also print out several codes and use them like you did with TANs in the initial days of online banking.Cellphone, security key or paper list, the choice is yours
Help on how to set up and use two-factor authentication is available online and providers are putting a lot of effort into making the process as seamless as possible. Note: receiving text messages with codes may create costs, using the various apps is free. As users may be required to reveal their cellphone numbers, this security model may not appeal to everyone and cellphone refuseniks are excluded altogether (though ordinary phones may also work).
If you've been living in constant fear of data theft, you may want to consider two-factor authentication. It doesn't take a lot of getting used to and involves close to zero extra effort once you add your home computer to the list of trusted devices. Finally: the thought that some dirtbag out there has your credentials but can't use them is somewhat appealing, too.
What I would like to know: are you already using two-factor authentication or do you consider using it?