Multi-factor Authentication (also sometimes called Two-Factor authentication) is a method provided by many sites and services to help their users better secure access to their accounts. For the remainder of this post, I’ll use MFA for short.
Most major web services now offer some sort of MFA, and over the last several years, integrating the use of MFA in to your daily life has become simple enough that it should be accessible to most every user.
So much of our lives is online these days, that most of us have a lot of personal, private information stored with our email service providers, in our Dropbox folder, Google Drive, SkyDrive, etc. Imagine if someone had the password to your email account. What types of information might they be able to find out about you? If it doesn’t give you a little cause for concern it should. Yet for many people, those sites and services are protected only with a password – one of the weakest forms of security available to end users.
Even if you have good personal security habits, and make use of strong passwords that are regularly changed and never written down, it is still possible to pretty easily circumvent that security measure with the right tools, a little time, and a lot of persistence. Unfortunately, the vast majority of users don’t have good personal security habits.
According to a study conducted by Time Magazine in January 2014, the most popular passwords that people selected to protect their information online were “123456”, “iloveyou”, and “qwerty”. Ahem…..
Needless to say, those passwords aren’t indicative of good personal security habits at all. It’s roughly akin to leaving your wallet laying on the drivers seat of your car in plain view, with the window rolled up and the car door locked. Yes, you’ve put forth a minimal amount of effort to protect yourself, but it’s not going to discourage someone who is even marginally determined.
Are you responsible with maintaining security of the network in a workplace? If so, the risk is even greater for you. According to a 2013 Verizon Data Breach Investigations report, 76% of network intrusions exploited weak or stolen login credentials. In these incidences, the companies suffering the breach weren’t even really trying to make it difficult for their networks to be exploited. The tools needed to exploit passwords like “123456” aren’t sophisticated, and can be downloaded and run for free by anyone, of any age, with access to a working internet connection.
A good password should be your first line of defense in protecting your or your organizational data. Sometimes the password policies of organizations work against themselves by requiring things like uppercase letters, special characters, etc. If you haven’t see the classic xkcd comic about password strength it’s worth taking a look.
The point of the xkcd comic is that in most cases, a random string of words that can be remembered easily by the user is a much better strategy against a brute force attack than the typical password gymnastics required by most organizations attempting to enforce strong password policies that may encourage users to write down their passwords and stick them to the front of the monitor.
Fortunately, in addition to having a good, difficult to guess, password, multi-factor authentication adds another significant layer of protection by combining something the user knows (a password), with something the user has (a token, often sent to a phone via SMS or through a MFA application like Google Authenticator).
The way it works is pretty straightforward. You will download an application on your phone, and pair that application with a site or service that supports MFA. Typically, the site will provide you with a QR code that you can simply scan with your phone, and the pairing will happen transparently to the user. Once activated, when you attempt to login to that service the next time, you’ll first be asked for your password. After successfully authenticating, you’ll be asked for a security code. You will open the authenticator app on your phone, copy the randomly generated code, and provide it to the login page to complete the login process. In most cases, this randomly generated code will be automatically changed every 20-30 seconds. The entire process adds a total of 10-15 seconds to the login process, but astronomically raises the security of your accounts.
A simple example can be seen below. In this example, I’m logging in to my RSS feed reading application using my Google account. Note that after entering the correct password, I’m challenged for a code that I can obtain by switching over to my authenticator application. I copy the code, switch back to the application I was logging in to, provide the code, and complete the login process. It’s a minor additional step for a major security advantage.
Most authenticator applications will allow you to register more than one service, so that you go to the same code generator application for all your MFA sites. My personal preference, and recommendation, is Authy, a great MFA application available for both iOS and Android devices. Authy allows you to register multiple MFA accounts, and easily switch between them via a familiar interface.
If you’re interested in enabling MFA for the applications that you use regularly, be sure to check the support site for the service in question. Chances are they offer some sort of MFA. If not, don’t be afraid to request that they add this option. In 2014, this really should be part of the basic service offering for any serious provider.
Here are links to the MFA options offered by some of the services that I (and probably you) use regularly.
Twitter and Apple also offer their own implementations of MFA that work in slightly different ways. In the case of Twitter, the code is sent to your phone either via SMS (my preference) or through the Twitter application itself as a message sent directly to you in-app. For your Apple ID, a four digit pin is sent via SMS to a registered device, and required in addition to your Apple ID password. To enable 2 factor authentication on your Apple ID, sign in at appleid.apple.com, and visit “Two Step Verification” under “Password and Security”.
In summary, if you haven’t already been exposed to the concept of multi-factor authentication, the good news is that it’s now very simple and convenient to use. Hopefully the information provided here will help you make yourself more safe and secure online. Good luck!