It seems like almost weekly we hear new reports about some cloud-based service being compromised by hackers. Credit card numbers are stolen and compromised on an almost daily basis. Phishing email scams trick people into compromising their own passwords and accounts. All the while the same solutions are trotted out. Make sure you’re visiting sites that protect your information with SSL (like Small Dog does). Make sure you’re using complex and unique passwords (i.e. don’t use the same password for every single site and service). Verify that an email is valid before clicking on any links.
Despite all these solutions, people still use bad passwords and accounts are still compromised. Fortunately, there is a solution: two-factor authentication. Never heard of two-factor authentication before? I can almost guarantee you already use it without even knowing. Say you need some cash. You go to your bank’s ATM and swipe your debit card in the slot and enter your PIN. Boom. That’s two-factor authentication. Basically two-factor authentication is any authentication scheme that uses two distinct elements to authenticate you: something you know (like a PIN or password) and something you have (like a debit card or a token). If one of those things is compromised, your account is still safe. I can’t simply steal your debit card and go on a trip to Vegas. I also can’t trick you into giving me your PIN and go on a trip to Vegas. I have to have both.
Debit cards have pretty much used two-factor authentication from day one, so how come we don’t see this much more secure authentication scheme in use elsewhere? To be honest, I’m not sure. Probably one of the biggest things holding widespread implementation back was the physical token aspect. A debit card is the physical token in that authentication system. If you wanted to use two-factor authentication to log into your Apple account, or your Gmail, what are they going to use for a physical token there? A company called EMC supplies a very popular RSA two-factor authentication system to large companies and organizations that can afford it. Their token is a small key fob that has a little LCD display with a number on it that changes periodically. Apple and Google aren’t going to buy and send out millions of those little things though.
If you’re using Apple’s cloud services or Google though, chances are very high that you have a smart phone or a tablet. There you go. That’s your physical token. All you need is an app that can generate time-based numeric strings or be able to receive text messages with those numeric strings. In Gmail, enabling two-factor authentication is easy. Just log in, click on your username in the upper right, and select “My Account”. Under “Sign-in & Security” look for the “Password & sign-in method”. This will walk you through setting up two factor authentication. Once it’s set up, when you log into google, you’ll have to provide your normal password, but then you’ll be prompted to enter the token string. Depending on how you set up two-factor authentication, this will come from either an app (I use OTP Auth) on your phone, or via text message. Enter that token and you’ll be logged in. Now even if someone manages to steal your password, they still won’t be able to log into your Google account. Apple’s cloud-based services have a similar two-factor authentication system that can be enabled by visiting appleid.apple.com.
The only thing you need to be aware of is that two-factor authentication is serious business and you need to make sure you have a valid recovery email/phone number and/or emergency recovery tokens. Google, for example, lets you print out 10 recovery tokens that can be used if you lose your phone and need to get into your account. It’s a good idea to print these out and keep in a safe box or other secure place.
Happy authenticating!