The password is a really old way to protect computer systems, yet many systems we use rely solely on them when authenticating users. A simple password might have been a good idea when we used only a handful of systems, but times are changing. Today we need accounts for all the social media we are on, the mail accounts, accounts for on-line shops, the bank, the workplace, you name it… Frankly speaking, I have no idea how many on-line accounts I have. And I can make one confession. I use the same password on some of them, even if the important ones naturally have strong unique passwords.
And here we are at the core problem with passwords. They should be complex enough to withstand brute force and dictionary attacks (that is when hackers systematically try a large number of passwords in hope of finding the right one) and they should be different on all systems you use (to limit the damage if one account is compromised). Many complex passwords and limited brain capacity, that doesn’t work. There are systems to create and remember many complex passwords, but many people aren’t motivated enough to use them. That’s one reason why two-factor authentication is spreading fast.
Another reason to raise the security is that hackers may target a particular system. They may break into it to steal passwords or use phishing techniques to trick you into revealing your password to them. Or plant a keylogger in your system. They may get the password, but still fail to get access to your account if you use two-factor authentication.
But what is two-factor authentication? Let’s start with some theory. An authentication mechanism can use several factors like what you know (a password you remember), what you have (a smartcard or a mechanical key) or what you are (biometrics, retina or fingerprint scans for example). A two-factor or multi-factor authentication system uses at least two of these factors. The best known example is an ATM-card that you have combined with a PIN-code that you know.
The most common way to utilize this for an on-line service is to rely on your mobile phone. You start by entering your user ID and password normally. After that the system sends a unique one-time code to your phone. You type the code and get access to the system. Your phone is the “what you have” -item as the message is directed to that particular device and can’t be read by others. This requires two things; that you have registered your phone number with the service and that you have turned on two-factor authentication. Some services do promote this option actively and ask if you want to use it.
So should I turn it on? Yes, if the service is important to you. You gain a lot of security for a quite small extra effort. You may have noticed several news reports lately about hacked Twitter-accounts. One of the incidents did even impact the stock market. Twitter happens to be one of the major on-line services that doesn’t support two-factor authentication yet. Many of these incidents could have been avoided if they had support for it. Needless to say, if you tweet for a global news agency you really need more security than just a password. But most ordinary people have services that also are important enough to justify this extra security.
Nothing is perfect so what are the downsides with two-factor authentication? The extra effort to type the code after login is of course obvious. But many systems mitigate this by remembering your device and only requiring the code when using a new device. You also must have your phone with you when you log in, which you probably have anyway. Except if you have lost it, which could prevent you from accessing your accounts. Some configuration settings in your browser may also prevent two-factor authentication from working or force you to authenticate every time you log in, even on the same device. Apps that access your account may require some extra attention. They need an extra application specific password that you can create under security settings in the account’s web interface. And last but not least. The service provider must know your phone number, which normally is linked directly to your true identity. This is usually OK, but becomes a problem if you want to be truly anonymous on the site, or have other reasons to not trust them with your number.
And remember that two-factor authentication improves security a lot, but there is no such thing as perfect security. The skimming attacks against ATMs is a classic example. The malware Perkele targets Android devices and works together with desktop malware to defeat on-line banks. Perkele proves that on-line services’ two-factor authentication can be attacked, but this is not a major threat yet.
So the verdict is that two-factor authentication is good. Turn it on if you can. Here’s some examples of where to look for these settings:
Facebook: Security settings / Login approvals.
Google: Accounts / Security / 2-step verification.
MS Hotmail/Live: Micosoft Account / Security info / Two-step verification.
WordPress: Settings / Security / Two Step Authentication.
Twitter: Not supported yet. 😦
UPDATE: Twitter got their act together just hours after posting this article. Now they also provide two-factor authentication. Great! 🙂
UPDATE2: Seems like Twitter was in a rush to get two-factor authentication out. The implementation is still far from perfect. But it’s a step in the right direction. I’m sure they will get things right, let’s hope it doesn’t take too long.
After F-Secure principal security consultant Tom Van de Wiele stepped into the #CyberSauna for the second episode of…
January 19, 2018