Two-Factor Authentication: What it is and Why You Should be Using it Now

Not too long ago, WordPress sites around the world started getting attacked with automated botnet traffic trying to brute force admin passwords.

The other day, the official
Twitter account of the Associated Press was hacked

Last year, Wired reporter Mat Honan was hacked when his Amazon account was compromised. That compromise allowed an attacker to access his Apple ID which gave him access to Mat’s Google account which, in turn, let the attacker into Twitter.

Email, in my opinion, is the gateway to identity theft. It’s bad if your Twitter or website are hacked. You get things like the AP hack. It’s bad, if an attacker gains access to your website and defaces it, or does something else. But as terrible as these things can be (and expensive), identity theft is something that is quite a bit more dangerous.

Here’s a scenario. Somehow, someway I gain access to your Gmail account. It could be that you have a pretty easy password, or you use the same password everywhere, or it can be from some other nefarious means. But I get access to your Gmail.

You might say, “well it’s only email and there’s nothing all that important there.”

But you’d be wrong. If I have access to your email, I have access to everything else. Can’t remember your Amazon password? That’s fine. I can perform a password reset, and gain access by clicking on a password reset link. Then delete it so you never even know it was there. Once into Amazon, using your saved billing information, I can run up your credit card info.

I might even be able to get into your bank, although that’s become significantly more challenging in recent years because of two-factor authentication (which I will get into momentarily).

I could potentially access credit records. Or, depending on the state or locality you are in, your driving and criminal records. And if there is something incriminating in your inbox, I might be able to blackmail you.

Granted, all of this stuff is extremely illegal, but I could still do it if I have access to your email account.

Side Point: Web services that use an email address as the login name are inadvertently dangerous. If I know your email address, I know your login. Then all I have to do is know your password. Whereas not having an email address as a login means I have to figure out BOTH your password AND your username.

Fortunately, Google has two-factor authentication. Amazon, Apple, Microsoft, and Facebook all have two-factor authentication as well. Banks, including Bank of America, all have two-factor authentication.

Two-factor authentication is your saving grace and you need to enable it on every account you have.

What is two-factor authentication?

The easiest way to explain what two-factor authentication is with the phrase, “Something you have, something you know”. You need BOTH things for authentication to happen.

You see this with some biometric systems. Enter a pin (something you know) and scan your thumbprint (something you have).

With banking sites, you enter a password (something you know) and you might identify a unique image (something you have).

You see this with SSH on Linux systems with ssh keys. You provide the server you are logging into with your public key (something you have) and in the “handshake” of authentication, it matches against your private key (something you know).

Google, Facebook and the other services providing two-factor authentication require you to enter your password (something you know) and then they’ll send a pin to your phone (something you have) that you have to also enter in.

It’s a pain in the ass, and certainly I hope technology reduces the friction that two-factor offers to the authentication process, but it’s incredibly important that you have two-factor authentication wherever you can.

Go re-read Mat’s nightmare and you will understand how vastly important that two-factor is. It’s a nightmare. It’s scary. It should be a come to Jesus moment for anyone that operates on the internet.

I will let you use the power of the internet to figure out how specifically to do this for various services, but this wouldn’t be my blog if I didn’t also suggest a plugin for WordPress (.org, not .com) to enable two-factor. I highly endorse the Duo Two-Factor Authentication plugin. I use it on several of my sites.

Hopefully, by enabling this stuff, we can not only stem off a vast amount of hacking attempts, but also become smarter about how we use the internet, protect our privacy and security and, even, in some cases… safety.

Be safe out there!

Bonus: More on 2FA from my friend Mika Epstein (@Ipstenu).

9 Replies to “Two-Factor Authentication: What it is and Why You Should be Using it Now”

  1. Nice summary, Aaron. The subject of “two factor” authentication has been in my wheelhouse for over a decade. The company (companies, actually) have been all about it.

    I still take issue that what the banks are employing is “Two Factor Authentication” – it isn’t – it’s just another set of “something you know” – i.e. some image, some phrase, and some more data (make of your first car, city/town you were born in, etc.) that can easily be harvested. No second factor there – just more data.

    True 2FA comes from what you say, correctly; “something I have”.

    The most common frustration/push-back from customers (potential and real) is that it works. Yes, that’s right. People are frustrated that it works. Why? Because, it IS inconvenient. You need to have your hands on that device in order to authenticate.

    I share your hope that the tech will bring along some silver bullet that will “make 2FA easier”, but honestly, I don’t think we want that. Making things easier usually means some sort of centralization which usually leads to a nice Honey Pot.

    I’m somewhat encouraged by the progress of “Secure Element”-based standards that could provide a convenient, secure, location for keys to secure our authentication protocols.

    We’ll get there.

    1. I still take issue that what the banks are employing is “Two Factor Authentication” – it isn’t – it’s just another set of “something you know” – i.e. some image, some phrase, and some more data (make of your first car, city/town you were born in, etc.) that can easily be harvested. No second factor there – just more data.

      Yeah, I thought about calling out banks on their implementation of 2FA.

      Also, the promise of NFC is a pretty big reduction of friction thanks to technology.

  2. Yep: everyone should be using the strongest security possible, and two factor auth is a great step in the right direction. A couple other things to think about:

    Don’t register your computer with your bank when you log in unless your computer is secure. Make them email you an access code each time you connect. Especially on laptops.

    If Google Authenticator is an app on your phone, and your phone also runs your email (probably), then you better lock your homescreen. Make your phone erase itself after 10 failed attempts to unlock it. Restoring your erased phone because your kid tried to unlock it is way better than losing your phone at a bar and having to reset all your passwords and such.

  3. It is my experience (as owner of a secure messaging website that offers 2FA) that 2FA will not be accepted and utilized by the masses. There are few users that understand it and fewer that are willing to accept the inconvenience to get the extra protection. Any implementation of 2FA that does not “remember” trusted locations is doomed. No one wants to be forced to retrieve their mobile device (assuming that is the “thing you have”) to get the single-use pin every time they log in. Besides that, if their mobile device is not charged, they cannot log in. If a site does “remember” trusted locations, they must be storing every IP address you access the site from. Some people may not like that tracking, but it is what provides “some” convenience in the 2FA model. Another problem with using IP address for “trusting” locations is that anyone who is truly mobile will connect from many different IP addresses. The building I work in has an Intranet with a big range of IP addresses and I get a different IP address every other time I log in. I am constantly being challenged to prove who I am when accessing sites where I have opted for 2FA. As you move around with your mobile device and connect to sites from various wireless sources, the same thing happens because you are constantly changing IP addresses. Eventually users say “enough is enough” and they shut off 2FA.

    Another issue I have with 2FA is that I normally need the “thing you have” to reset a password. That is usually controlled by answering challenge questions. There are stories in the news every day about how this account or that account was hacked. 2FA will challenge someone who attempts to log in from an “untrusted” location with the correct password, but it usually won’t stop someone with the correct answers to the account reset challenge questions. So, if I can determine the “secret” answer to one of your challenge questions and I am in control of the email account associated with that web account (e.g. your bank, Twitter, Facebook, etc.) I can make your life very difficult. That will probably not happen to most of us. Unethical hackers usually go after high-value targets.

  4. It’s unsettling how easy it is to socially engineer Amazon and Apple support staff with just a few phone calls. Yes the masses need to be educated on how to protect themselves, but in Mat Honan’s case (those who haven’t read the story on Wired should do so), Amazon and Apple were arguably the weak link in the whole security chain. Mat could’ve used the hardest password to remember and it would not have made any difference at all, because the hackers simply called up Amazon and Apple to extract highly personal information. This is scary!

  5. Very interesting post, two factor authentication is cumbersome but sometimes necessary. I really hope we will see more technologies to increase security without all the overhead. For example, something like a personal RFID device that can be read by computers and mobile devices to grant access in addition to a username and password (with two/three factor authentication in case of loss).

Comments are closed.