<!— graphic: https://pixabay.com/photos/castle-security-padlock-secure-838352/ —>
You’re rightly concerned about the security of your online accounts. A compromised account could put your entire business at risk. So you’re careful to use unique, complex passwords. But are strong passwords enough? Not if those passwords are stolen by hackers.
In 2012, hackers attacked the popular business social networking site LinkedIn. During the breach, they managed to acquire the account information of 165 million users. In 2013, Adobe lost 153 million user accounts. In 2014, Yahoo lost 500 million accounts.
In all of those incidents, hackers acquired not just user names but also passwords. In most of those cases the passwords were already encrypted so the hackers shouldn’t have been able to use them. But often, the method of encryption was so weak as to be almost useless. Meaning, the people who’s accounts were hacked were now vulnerable. Hackers could log into those systems, impersonate their victims, change their contact information, and do untold damage. They could also use that account information to try to breach other systems.
Fortunately, most online services have since implemented stronger security protocols. They’re better at keeping hackers out, and better at encrypting their user’s passwords so if they are stolen, they can’t be used.
But no system is perfect. An extra layer of security — beyond passwords — would help.
2FA – A Security Step Beyond Passwords
This is where two-factor authentication — or 2FA — comes in. The first factor of authentication is your password. The second factor is a one-time code. You may receieve that code via a text message on your phone; via email; through an app like Google Authenticator, Authy, or KeePassXC; or from a hardware device like a YubiKey.
If hackers manage to learn your password for a certain account, they still won’t be able to log in without that second factor.
Drawbacks To Two-Factor Authentication
Most 2FA systems are easy to use. If you’re using a YubiKey, for example, when prompted, just insert the key in a USB slot and touch it. Or, if you’re using it with your phone, just hold it near the phone so the phone can sense it. This article originally appeared on businesstechnotes.com. If you’re reading it anywhere else, it’s stolen. Please let us know at firstname.lastname@example.org
If you receive a text or email with the code, you have to open that message, take note of the code, and then manually enter it back in the system you’re trying to log into. And you have to do this fairly quickly. One-time passcodes are time-based; the code is valid for a limited time, sometimes only 30 seconds.
If you find having to enter a password every time you log into an account to be a hassle, you’re not going to enjoy having to enter a second code as well.
What happens if you lose your phone, your hardware key, or whatever other device you’re using to generate the second factor? Most systems offer an emergency workaround. This may be a one-time recovery code that will allow you to access your account and reset your 2FA credentials. It could also include a second 2FA system. Of course, you then need to keep that recovery code secure, or keep the second 2FA system handy.
A more serious scenario is that someone finds or steals your 2FA device. In the case of a phone, they may not need physical access to your phone. They may be able to perform a SIM swap remotely by convincing your carrier that they’re you.
Some people keep a list of their passwords on their phone, either in a simple text note or in a password manager. If that phone is also used to receive the 2FA code, an attacker who takes control of the phone will have everything they need to log into your accounts.
Another drawback to some 2FA systems, particularly Google Authenticator, is that your identity and online activity is more easily tracked. If you’re concerned about privacy, you’ll want to use a 2FA system that isn’t tied to Big Tech.
As effective as two-factor authentication is, it won’t protect you if you’re tricked into logging into a fake website or application. That’s called a phishing attack. We’ll talk about ways of avoiding that and other malware tactics in a future post.