An Important Way to Step Up Your Online Security Game



In one of my previous posts I discussed cloud services and some steps you can take to help remain secure while online. The goal of today's discussion is to select and emphasize one particular step: two-factor authentication.

Whoa, "two-factor authentication" sounds like too much for you to handle? Don't run away just yet. Two-factor authentication, hereafter referred to in this post as "2FA", is a simple concept. First observe the list of "authentication factors" below.
  • Something you know
  • Something you have
  • Something you are
We are used to authenticating ourselves with one thing - a password. Passwords are (usually) memorized and therefore are considered something we know. The downside to this approach of using a single factor is that anyone who can guess what you know can pretend to be you.

What if instead of just a password, you had to prove that you are in possession of something or that you are physically who you say you are? Many online services offer 2FA in the form of registering something you have in your possession. 


The most common second factor used is a phone number. The online service you attempt to log into will send you unique, one-time codes to your phone number by either text message or phone call and will require that you enter the code you received each time you log in. The main drawback of using a phone number as a second factor is that incoming texts and phone calls to your mobile are susceptible to be intercepted or redirected by a malicious actor.


The other common second factor used is a security token. A security token can be an app installed on your phone or computer, or it can be a USB device similar to a flash drive attached to your computer. 

One method that is becoming more common is known as push authentication. Google is an example of a company that has implemented push authentication if you have a smartphone or tablet. Duo and LastPass have also implemented push authentication in their authenticator apps. The main benefit of push authentication is that it is quick and user-friendly. When you sign into your account, instead of having to enter a code, you will simply be required to approve the login via a push notification on your smartphone where the authenticator is installed.

The image below is what I'm presented with whenever I attempt to sign into my Google account on a new device.



If I tap "yes", my sign-in completes and I'm good to go. If someone were to steal my password and attempt to log into my account, they would also have to steal my phone and bypass my phone's lock code to successfully log in. The possibility of that happening is very slim. Besides if my phone were stolen, the first few things I would do are trigger a remote data wipe, change my account passwords, and invalidate any existing login sessions to my Google account.

The big social media sites support adding 2FA to your account, and I highly recommend it. You should also enable it on any email services you use and banking or financial services. What a thief usually wants to do with your information is get to your money, your identity, or get to other people through you. Enabling 2FA on your accounts will add a significant amount of difficulty for anyone looking to compromise your online presence.

If you have questions about anything discussed above or how to enable 2FA on a specific service, feel free to contact me.


Comments

Post a Comment

Popular posts from this blog

Cloud Services - Friend or Foe?

Image
The question has arisen many times in my profession, and my friends and family have even asked me:  "Is it safe to store this information in the cloud?"  To answer this question, we need to understand what the cloud is. Then we need to determine what kind of information you intend to store, and how important it is that the information remain private. The "cloud" - what does this nebulous term mean? Understanding the cloud Let's make sure we understand what the cloud is not . You're reading this article on a device such as a smartphone, personal computer, or tablet. Your device is not part of the cloud, but it is a client of a server that is part of the cloud. A word on client vs server Suppose you go to your neighbor's house and knock on the door, but no one answers. Your neighbor wasn't expecting anyone, and they don't let strangers in. On the other hand if you visit a restaurant, usually a host or hostess will greet you and
Read more

How someone tried to phish me

Image
A couple of weeks ago I received an email that looked like this. This email went straight to my spam folder which I check occasionally to make sure I don't miss anything important. This particular email appeared to have come from one of my relatives. Let's see what's inside the email. I have obfuscated the actual email address because it is the first and last name of a relative. So the email came from someone[at]kkfi[.]org. I don't recognize that domain, but a quick lookup tells me it belongs to a radio station. Checking the hyperlink in the email body, I found that only one Antivirus vendor has the link categorized as phishing. But one bad verdict was enough for me to not visit the link. You can see the verdict  here . So why did someone at a radio station try to phish me? Well, actually it's likely that it wasn't an individual at the radio station but someone else who abused their domain and/or mail server. Let's dig so
Read more

Google's "Smart Lock" and Android Autofill

Image
Have you ever heard of Google's " Smart Lock "? When I first discovered Smart Lock, it was just a feature of Android that allowed your device to remain unlocked as long as certain conditions were met - such as being at a specific location (say, at home), the front camera recognizing your face (you mean "Face ID" has been around for a long time? yes, and it never worked well and still doesn't work well, even on iPhone), your phone being on your body, or connected to a trusted device. Recently Google has added another piece of functionality to Smart Lock called Smart Lock for Passwords. I first noticed this inside the Netflix application probably one or two years ago when I was offered to automatically sign in because my login info at the time was saved in my Google Chrome password manager, but no other apps that I used regularly seemed to have this new functionality. Looking at the developer page for this feature, it makes sense as to why since it ap
Read more