Intro to Multi-factor Authentication
- A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard.
Passwords aren’t enough
We’ve been urging our clients to transition to use of complex passwords (or better, passphrases) for a the past year. Still skeptical about the need to improve log-in security? Perhaps the following articles would be helpful:
- 2011: The Password is Dead. Time for Better Online Security [Forbes]
- 2012: The Password Fallacy: Why Our Security System Is Broken, and How to Fix It [TheAtlantic]
- 2013: P@$$1234: the end of strong password-only security [Deloitte]
- 2013: PayPal security boss: OBLITERATE passwords from THE PLANET [TheRegister]
There are many similar news pieces that argue for greater security, but hopefully we’ve made our point.
Something you know, and something you have
Multi-factor authentication (MFA) is exactly what it claims to be. Instead of just a password, you authenticate through multiple methods. Some common forms:
- Knowledge: a password, PIN or pattern that only you know
- Tokens: Smartcards, RSA Keyfobs, Magnetic cards, NFC, or even phone apps
- Biometrics: fingerprints, eyes, or vein scans
By combining multiple forms, we make it much harder for an unauthorized user to gain access.
Check your account settings
The good news is that your vendors might already have an option for Multi-factor authentication!
Google: Check 2-step verification in Account Settings. Google will either text or robocall you at that number to provide a six-digit code every time you try to log into your Google Account from an “untrusted” device, or you can download the Google Authenticator app for iOS and Android to generate one-time codes
Facebook: Log in and click on the blue gear icon in the top-right corner, then click on your Account Settings menu. In the Security section from the navigation bar on the left-hand side of the screen, switch on the Login Approvals feature by clicking the appropriate checkbox. Facebook will walk you through the process from here, explaining how to receive and type in a unique alphanumeric code every time you want to access your account. Like Google, you can choose an app that generates codes or a TXT to your phone.
Microsoft: Switch on two-factor authentication in the security section of your Microsoft Account summary page. You can have send security codes sent to either an alternate email address or TXT’d to your phone, or download an app.
Dropbox: Go to the new Security tab in your Dropbox account settings and enable two-step verification in the “Account sign in” section. From there, just follow the steps to set up two-step verification. On your desktop or mobile devices, you’ll only need the code the first time you sign in to Dropbox. On the web, you can also select the option to “Trust this computer” and you won’t need to re-enter a code again.
Twitter: Unfortunately, Twitter doesn’t have an option for using an app, so you’ll need a cell phone to receive txt’s. Visit your account settings page and Select “Require a verification code when I sign in”. Click on the link to “add a phone” and follow the prompts. After you enroll in login verification, you’ll be asked to enter a six-digit code that we send to your phone via SMS each time you sign in.
We’ve been providing our clients with smartcards and keyfobs for some time, if you have questions, give us a call!