Why a password is not enough…What is two-factor authentication?

By | September 28, 2016

2factor

Everyday, another site is hacked and passwords are stolen.  You login to a site and are asked to change the password or increase the complexity of the password.   If you are like most people, you have 1-3 passwords you use on all sites.   It only takes 1 of those sites to be hacked, before your password is now in the hands of hackers to try on other sites.

Sites have introduced a new level of security over the years to enhance the password.   This is called 2 factor authentication or secondary authentication.   If enabled, the first time you login to a new browser, you will have to provide your username and password, plus a second form of authentication.   This could be a text to your phone with some digits, a call to your phone with some numbers, or maybe they have an app code generator like Facebook, Google, and Microsoft.   What this does is prevent someone from gaining access to your account if your password is stolen or compromised by requiring another authentication from something you have with you.

The most important password for all internet sites is your email password.  I would say this is just as important as a banking password.   You should never use your email password on other sites, because that is the first thing a hacker tries when stealing site information.  They take the email and the password and try to access the actual email account.  If someone can access your email, they can go to ANY account you have and request a password reset which ironically emails you the temp password to login.   Once you are into someone’s email, you can order items on shopping sites, change service with cell carriers, or even try and access banking and personal information.  If you have 2 factor authentication enabled, then this hacker could not get in.

Here are some general guidelines to secure your accounts and passwords on the internet:

  1. Use a strong password for your email.
    • Use a Passphrase, or repeat your typical password twice with a special character between it.
  2. Do not use the same password for email on any other account / service.
  3. Use a password manager to record all your passwords and allow you to generate unique and complex passwords on all websites.  (Watch for a future topic on recommended password managers and how to use them)
  4. Do not use security questions on sites that are easily available on social media
    • Hometown
    • Parents Name
    • High School Mascot
    • Things you offered up in Facebook shared posts (hackers have been known to start those to get you to share personal information to social engineer into a site)
  5. Enable  advanced security logins for any site that supports it as you sign up for an account
    • Two Factor Authentication
    • Email alerts / text alerts on new browsers logging in

Here are some example sites that use 2 factor authentication and if you have an account there, I suggest you enable this feature by following their instructions.

Google (Gmail) – https://www.google.com/landing/2step/

  • Google supports secondary authentication with a text message or through the use of a separate application called Google Authenticator which generates unique codes.
  • Video Tutorial

Yahoo – https://help.yahoo.com/kb/SLN5013.html

  • Yahoo recently was hacked and all users are being forced to change their password.  They are also recommending to REMOVE your security questions on the account page.  You can then enable 2 step verification
  • Video Tutorial

Microsoft (Outlook.com/Hotmail) – https://support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification

  • Microsoft supports 2 step verification.  They will make you save a long password for security in case you cannot get into your account.  Also you can use App Verification with the Microsoft Authenticator  App.
  • Video Tutorial

Apple (Apple ID / iCloud) – https://support.apple.com/en-us/HT204915

  • Apple lets you setup 2 factor authentication from your existing iDevice in the Settings of the device.  As a note, if you have a device that is not on iOS 9.0 or higher, it will warn you that they are not compatible and may require a temporary password each time to use.  You may want to hold of on Apple 2 Factor authentication if that becomes the case.
  • Apple will always inform you when a new user signs into an account with your Apple ID.
  • Video Tutorial

Facebook – https://www.facebook.com/help/148233965247823

  • Facebook utilizes a process called “Login Approvals”.  This will remember a browser on your machine and trust it.  In order to trust a new browser, it will require an approval from a currently signed in account (like mobile or existing computer browser) to get the Facebook login code.

Twitter – https://support.twitter.com/articles/20170388

  • Twitter utilizes a similar process to Facebook with text messaging approvals.  They call it “Login Verification”.

Please watch for future articles on the following planned topics:

  • Password Managers – Which one should I use?
  • How to setup a password manager
  • How to see what devices are connected to your apple ID / Google Account
Facebook Comments
Matt Caminiti