Lately, there is lots of news about various bank accounts being compromised – including the network of the International Monetary Fund, the biggest piggybank of them all. Coincidentally, there was the news that both Facebook and Google’s Gmail have beefed up their security with two-factor authentication. They both now have optional mechanisms for making sure that your login process is more secure.
Two-factor authentication is called that for a reason: you need more than type in your username and password, something that you have on your person that isn’t easily known to anyone else (like your mother’s maiden name or birth date). Both sites make use of texting you a short string of numbers to your cell phone as part of the login process: once you set this up, as long as you have your phone nearby (and who doesn’t?), you can be sure that no one else can login into your account.
Older forms of two-factor authentication used small key fobs that had a button: when you pressed the button you got a code number that you used to type in at the moment you were logging in. The number changed every 30 seconds or so, making it difficult to hack. Using a cell phone is much more convenient: the fobs were forgotten or lost.
Two-factor authentication has been around for a long time, and lately has gotten a black eye, thanks to the behavior of RSA, one of the leading companies in the market. Their SecurID system was compromised several months ago, and the company has been slow in getting the word out and replacing the fobs for its customers. As a result, several of its competitors have stepped forward and offered deals on replacements.
I’ve had a fob for my eBay/Paypal account for several years: I think it cost $10. (It now costs $30!!) You can still get them, although there are free alternatives available that can make use of your smartphone to get SMS texts and you can also sign up with Symantec’s Verisign Identity Protection program for their fob. Symantec doesn’t make it easy to find this online.
(Note: I did one of my sponsored screencast videos of the service for them last year.)
But even better is what Google and Facebook have put in place. If you have a Gmail account (but not a Google-hosted email account, sadly), you can get this set up in about 10 minutes: Go to your account’s personal settings and you should see a menu item for two-factor authentication, and follow the instructions show in their blog.
The problem is that adding two-factor for your Gmail account will create problems for you for other applications that access your account. If you use your smartphone or Outlook to access your email, you will need to setup these apps to handle the two-factor authentication. If you read your email on a tablet, ditto. So this may not be as easy as you first think.
Facebook has taken lots of (deserved) knocks on its security, and it also has implemented two-factor authentication lately. Go to Account/Account settings/Account Security and enter the information requested under the Login Approvals section, at least until they rearrange their menus and put it somewhere else.
Two-factor isn’t a panacea, and it does add an extra step. And as the folks at Lockheed found it, it isn’t flawless. But it does offer much better protection than straight username/password. If you use Google, Facebook, and Paypal, it is time to start using it.
There are two problems with two factor authentication.
First, if your operating system or web browser is compromised, two factors are moot. Ditto three or four factor ID schemes.
Second, if you hare not connected to the website you think you are (think hosts file modified) then again, any number of “factors” offer no protection from this man-in-the-middle attack.
Michael, I agree, two factor authentication does have it’s problems. But if your browser is compromised you have more to worry about than two factor authentication.
What would you suggest in addition to better security for these websites?
When doing something sensitive online, such as online banking, the best defense is to reboot and run Linux off a CD or USB flash drive. This too is not perfect, but it is WAY better than running the normal OS installed on your computer.