If you’ve never been hacked, consider yourself lucky. A May
2014 Ponemon Institute study found that 47% of U.S. adults have had personal
data exposed over a 12-month period.
The report points to a number of
high-profile breaches that potentially provided cybercriminals with information
to steal login credentials and/or credit/debit card information, including up
to 110 million Target customers, 38 million active Adobe users’ usernames and
passwords, “a significant number” of the 120 million AOL accounts, and possibly
all of eBay’s 148 million users. Of course, power users have already protected
their accounts with long, random, nearly impossible to remember passwords.
(Right?)
But even ironclad passwords may not be enough as hackers
accumulate usernames and passwords stolen from online databases.
A recent
report by Hold Security found that a
Russian cybercrime gang was in possession
of a staggering 1.2 billion unique username/password combinations. It’s always
nice to be in complete control of your own security, so it’s upsetting, to say
the least, when data breaches and cybercriminal activity put you at the mercy
of hackers.
Thankfully, there are plenty of ways to further secure your
accounts via multi-factor authentication, which adds another layer (or two) to
the login process.
Multifactor authentication greatly reduces the likelihood
that a cybercriminal can break into an online account using a compromised
username and password. In addition to taking a look at some current and future
multi-factor authentication implementations, we’ll show you how to set up
additional account security with a with a few popular online services.
Multi-Factor Passwords
Most online services that offer multifactor authentication
use a OTP (onetime password) in conjunction with the tried-and-true username
and password.
Arguably the most popular OTP delivery method is a simple
text message. “The high level of penetration of cellular phones make it a
convenient way to do two-factor or multi-factor authentication,” says James
McCloskey, senior consulting analyst at Info-Tech Research Group. “People tend
to always have their phone with them, and just as they wouldn’t think of
leaving the house without their keys, they also won’t leave without their
smartphone.
That’s a strong authentication mechanism.” Once you receive
the PIN or code, you’ll just need to enter the OTP as prompted by the website.
The multifactor authentication prompt will typically occur after you’ve entered
you username and password. Using the SMS format is also an advantage because
you don’t have to own a smartphone to receive the code. “Mobile devices can
provide a huge boost to multi-factor authentication, since even feature phones
can be used to deliver multi-factor authentication codes,” says Michela
Menting, cybersecurity practice director at ABI Research.
Sending a code via text message might also be more
convenient than other OTP delivery methods, which can include email, a discrete
app on your smartphone or tablet, or a hardware token for your keychain.
You
might also be able to have a OTP issued via a phone call, which is obviously
ideal if you’re one of the seven people in the world whose mobile plan doesn’t
include text messaging. An email OTP can be helpful if you have easy access to
your email client, for example. If entering a code each and every time you log
in sounds exhausting, you’re not alone. “Two-factor authentication is still an
extra step people have to take, and many will simply find it a hassle and not
bother,” says Menting. Aware of this, many services that require logins are
simplifying the process, so you’ll only need to enter a PIN if the website
detects a login attempt from an unfamiliar device or location.
“To different degrees, banks and social networks are making
use of context-aware, adaptive techniques and phone-as-a-token solutions,” says
Ant Allan, research vice president at Gartner. “For example, if you try to
access Facebook from an unknown endpoint, it can prompt multi-factor
authentication.”
Another alternative is the TOTP (timebased OTP) that you can
access via an app on your smartphone or tablet. OTP apps typically require you
to configure the device with your account credentials. Once complete, the
software token app generates the PIN based on an algorithm the time on your
mobile device, and a “seed record.” The latter is a secret key that’s stored on
the online service’s server. An TOTP app generates a new code periodically, so
even if a hacker intercepted the code, it’ll only be good for a short period of
time.
Google Authenticator is a popular TOTP that you can use with
Google’s various offerings, as well as some other prominent online services,
such as Amazon Web Services, Dropbox, and LastPass. The app creates a new PIN
every 30 seconds and is available for Android, BlackBerry, and iOS devices. The
big benefit of the time-based OTP app, compared to an SMS message, is that it
works even if your smartphone doesn’t have a data or cellular connection.
Regardless of delivery method, OTPs will continue to be a popular option for
two-step verification, according to experts. “With online services, a username
and password with a code that’s delivered to your smartphone is rapidly
becoming the standard combination,” says McCloskey.
We found that some banks
might offer to provide you with a hardware token, but there are some challenges
involved with using to hardware tokens with online services. McCloskey says,
“Practically speaking, the hardware tokens aren’t something that will take off,
because you’d have a token for every online service that you’re working with.”
As such, most online services will continue to send pass codes via SMS or work
with a soft token app in the near future.
Biometrics
With fingerprint readers and high resolution cameras now
available on smartphones and tablets, you would think that biometrics would be
an upand-coming method for multi-factor authentication. Unfortunately, there
are some major obstacles to overcome when it comes to biometrics as an extra
layer of authentication. “It really becomes a privacy issue,” says McCloskey.
For example, a password can always be changed, but if a cybercriminal were to
steal your thumbprint or voice identification, he could use the compromised
biometric data to impersonate you forever. “In what format would Apple or
Google share the biometric information?
How would you do the registration of that
biometric with a third-party?” McCloskey asks. Until the privacy challenges are
resolved, it would be difficult for online services to accept a fingerprint.
When it comes to securing physical access to a location,
biometrics have been a proven option for businesses with sensitive data, such
as data centers utilizing fingerprint readers or retinal scanners. But in these
situations, the person providing the biometrics has also had their identity
verified in a traditional way. They might be an employee, or the organization
might have already verified their identity with a social security number, for
example. With something like a Google account, registration doesn’t typically
require any proof of identity when you set up the account. McCloskey says,
“It’s almost backwards to expect a stronger identification mechanism that would
uniquely identify you.
That’s why a smartphone is a better ‘thing to bring’ than a
fingerprint or face, which is a private piece of information, to enroll with an
online service.” Still, it’s not impossible to imagine biometrics catching on
outside of casino vaults and secret government bunkers. Mobile devices have
only recently started including biometric sensors, so there hasn’t been much
time for third parties to develop a policies to manage a fingerprint or iris
template, nor how the biometic data will be securely transmitted to the On
Facebook, you can move to two-factor authentication by making changes to the
Login Approvals and Code Generator settings.
Time will tell if online services will incorporate
biometrics into their authentication methods. You might see biometrics used as
authentication for other tasks. “Biometrics will play an important role in
digital identification cards most likely, notably government and healthcare identity
cards,” says Menting. Besides fingerprint and iris or face recognition, online
services might one day be able to use behavioral authentication as a second
factor. Some examples of behavioral traits that can be used include the way you
speak a phrase or the speed at which you type on a keyboard. “Multimodal face
plus keyboard/gesture dynamics could provide continuous passive authentication,
providing at least a medium level of trust with a great user experience,” Allan
says. Multi-Factor Authentication Setup Although a variety of online services
now offer multi-factor authentication, it’s almost always optional. And you
must register and configure multi-factor authentication before securing your
accounts. We’ll detail processes you’
Multi-Factor
Authentication Setup
Although a variety of online services now offer multi-factor
authentication, it’s almost always optional. And you must register and
configure multi-factor authentication before securing your accounts. We’ll
detail processes you’
need to go through to set up multi-factor authentication
with a few of today’s popular online services. Microsoft.If you’re looking to
boost the security of your Outlook.com, OneDrive, and Xbox Live accounts, it’s
relatively easy to add two-step verification to your Microsoft account. Even
better, you can configure the multi-factor authentication so that it only
occurs if you sign in from a device that isn’t trusted. You make a device
trusted by clicking the “I Sign In Frequently On This Device. Don’t Ask Me For
a Code” checkbox after you’ve successfully entered the two-factor security
code. To initially set up two-factor authentication, sign in to your Microsoft
account at https://account.live.com. Next, click Change Password & More
under Security & Privacy. At this point, Microsoft will likely prompt you
for a security code, just like you’d see with twofactor authentication, but
this prompt occurs because you might be changing sensitive information. You can
receive the code via text or an alternate email. Under Two-step Verification,
click Set Up TwoStep Verification.
The next screen will inform you of how the twostep
verification will work. Click Next, and you’ll see a recovery code that you can
use to restore access to your account if you lose your mobile phone or a hacker
breaks into your account.
Once you’ve securely stored the code, click Next.
Microsoft then indicates that you’ll need to take a few steps to make certain
that all of your apps and devices will still work with your Microsoft account,
because some apps and devices (including Xbox 360) require special setup. For
example, on our mobile device, we had to go into the settings and replace the
password with a long letter and number code. The alternative setup is necessary
because the apps and devices won’t prompt for the second factor of
authentication, such as you’ll see on Outlook. com or OneDrive.
Next, Microsoft
will remind you about some other apps and devices that might require special
setup, including the Outlook desktop app, Microsoft Office, and Windows
Essentials apps. A link is provided, so you can configure each individual app
you might be using. You can complete these steps at a later time if desired.
Finally, you can opt to receive the code via text message, email, or app. As of
press time, Microsoft used Google’s Authenticator app for a TOTP.
The SMS and
email options are easy to configure, especially if you’ve provided Microsoft
with your phone number or alternative email in the past. And you can quickly
enter the data, even if you haven’t provided it. With the app, you’ll need to
download Google’s Authenticator and configure your smartphone or tablet for use
as a soft token.
This process consists Twitter lets you receive a OTP via SMS
or verification requests through the Twitter app.
of entering a key or scanning a QR code, which will generate
a passcode on your mobile device. Then, you’ll enter the passcode on the
Microsoft account setup page. Google Authenticator and your smartphone/tablet
can now be used as a second form of authentication. Microsoft makes the setup
fairly painless, though you might have to jump through a few additional hoops
to set up certain apps or your Xbox 360.
Typically, you’ll need to log in to
your Microsoft account, visit the Security Info Page, and write down an app password.
That password will replace the password you typically use to sign in to your
Microsoft account on the app or your Xbox. Microsoft does offer a Remember Me
checkbox with the apps, so you won’t need to enter the custom code each time
you open the app. On a PC, you can reduce time spent logging in by trusting
your devices that regularly access your Microsoft account.
Google.
Google is
wellknown for making the vast majority of its services available online,
including Gmail, Google Drive, and Google Calendar. Naturally, you can improve
the security of these services by using two-step verification. The easiest way
to set up multifactor authentication is to go to https://www.google.com
/landing/2step/, click Get Started, and log in to your Google account. Next,
click Start Setup, and Google will ask you to provide a phone number to send a
numeric code or a voice call that verbalizes the PIN.
Once you choose a method,
click Send Code button. On the next screen, enter the code and click Verify.
Next, Google will ask if you want to set up the PC as a Trusted Computer. This
way, you can access Google accounts without entering a verification code every
time you log in to that system.
Finally, Google informs you that you’ll be
asked for a code whenever you sign in from an untrusted computer or device.
Click Confirm, and the two-factor authentication is ready to go. Similar to the
Microsoft setup, there are some apps that you’ll probably need to validate to
use with the two-step authentication.
After you click Confirm, a pop-up window
will appear that provides directions to reconfigure app access. Just select the
app of choice, such as Mail, and your device, such as iPhone, from the dropdown
menus, and Google will provide you with a replacement password that you can enter.
Google can provide codes with apps for its services on iPhone, iPad, Mac,
BlackBerry, Windows Phone, and Windows PCs. When you first log in using
two-factor authentication on a PC, you’ll see an option.
to remember that particular computer. This way, you won’t
have to deal with re-entering a new verification code, but you’ll still be
protected against hackers trying to access your account from another
PC. Google’s default options for two-step authentication are
SMS or voice call. To use Google Authenticator instead, open your Google
account settings and select the Security tab. Then, click the Settings option
next to 2-Step Verification. Click the Switch To App button. You’ll receive a
prompt to use your phone’s camera to scan the onscreen QR code, which will
produce the 6-digit verification code in Google Authenticator.
Enter the code
on the Google account web page to enroll your mobile device with the Google
Authenticator app. Google also lets you configure your account with a backup
phone number or backup codes for the times when you don’t have your primary
phone in hand. With the backup codes, Google will provide you with 10 8-digit
codes that you can use to log in. Each code can only be used one time, but you
can generate new codes if you’re close to running out. We like that Google
offers a variety of alternatives for the code delivered via text message or a
phone call.
The backup options are particularly appealing for people that
depend heavily on access to Google’s online services, because you’ll always
have a way to enter the two-factor authentication from PCs away from home.
Facebook.
At the very least, it’s embarrassing when your social media accounts
are hacked. All of your friends, acquaintances, and relatives will be exposed
to clickbait that could lead them to malware. A hacker may also flood your feed
with offensive content.
Thankfully,
Facebook can work with a wide variety of
OTP authentication methods, including text message, voice call, and a Code
Generator within the Facebook app. If you want to use the SMS or voice call
options, you’ll need to add your phone number to your Facebook profile.
If you’re concerned
about letting “friends” see your phone number, you can make the number visible
to only yourself. To set up phonebased two-factor authentication, visit your Facebook
home page, click the Lock icon, and select Settings. Click Security and choose
Login Approvals. Click the Require A Security Code To Access My Account From
Unknown Browsers checkbox. After you click Get Started, Facebook will notify
you that two-factor PINs can’t be delivered to landlines or Google Voice
numbers.
In the Set Up Security Code Delivery window, add your phone number and
click Continue. Facebook will send you a text message with a confirmation code,
which you’ll need to enter in the following pop-up window.
By default, Facebook
will require the secondary authentication if you log in from an unknown
browser, but if you prefer to always enter the PIN, you can select the No
Thanks, Require A Code Right Away checkbox. To hide your phone number from your
friends, you’ll need to go to your personal timeline, click About, select
Contact Information And Basic Info, click the Edit box, and select the Lock
icon to bring up a drop-down menu where you can select Only Me. If you’d prefer
to use a code produced from the Facebook app, return to the Security section of
your profile and click Code Generator. Select Enable and follow the
instructions to activate Code Generator on your phone. Both the Login Approvals
and Code Generator options can be active at the same time, so you can use
either OTP as a second form of verification. In our testing, Facebook asked for
the Code Generator PIN first but allowed you to select the text message
delivery as an option. Facebook also lets you print security codes, which you
can use to log in if you don’t have your smartphone.
Twitter.
Twitter hackers
are some of the worst, filling up people’s timelines with obscene messages. If
you want to add a second layer of authentication to your Twitter account,
you’ll need to take the following steps: Sign in to Twitter and bring up your
account settings. Click Security And Privacy.
You can choose between Send Login Verification Requests To
My Phone or Send Login Verification Requests To The Twitter App. The latter
method works with the Twitter app for iOS or Android. To add your phone number,
click the Add A Phone link and follow the prompt to verify your number. The
simple process consists of Twitter sending a test text to your phone; enter the
code to enroll the phone. When you set up login verification via an iOS or
Android device, you’ll also need to have a phone associated with your Twitter
account, and you can follow the steps listed above to enroll your smartphone.
Then, go to the Me tab in the Twitter app, click the Gear icon, and select
Settings.
Choose your account name and turn on app authentication by checking
the box next to Login Verifications. Twitter will also provide a backup code,
which you can use if your phone lacks access to the Internet. When prompted,
you can approve login requests just by opening the Twitter app and selecting
the push notification. Twitter’s app verification method is one of the easier
forms of two-factor authentication we’ve seen, because you won’t need to enter
any codes. However, Twitter doesn’t currently offer a way to trust a device, so
you’ll always need to enter the code or verify via the Twitter app. Still, it
beats having your Twitter account hijacked.
Dropbox.
Setting up two-factor
authentication is an excellent idea if you store sensitive files in your
Dropbox folder. Begin by logging in to your account and clicking your name in
the upper-right corner of the screen.
Next, choose the Settings button, select the Security tab,
and click Enable under Two-step Verification, which opens a pop-up window where
you’ll enroll your mobile device. Dropbox starts by informing you of two-step
authentication benefits. To continue, click the Get Started button and enter
your account password.
Next, Dropbox will ask if you would like to receive the
security code via text message or the mobile app. If you select Use Text
Messages, you’ll just need to enter your mobile phone number, and Dropbox will
text you the code that you’ll enter into the pop-up window. We like that you
also have the option to configure a backup phone number, if you want an
alternative way to receive the OTP. Finally, Dropbox will provide you with an
emergency backup code to use if you lose your phone or it doesn’t have service.
Click Enable Two-Step Verification to finish the process. If
you select the mobile app option, click the These Apps link in the resulting
pop-up window to see which authenticator apps are compatible with your device.
As of press time, Dropbox worked with Google Authenticator (Android/iOS/BlackBerry),
Duo Mobile (Android/iOS), Amazon AWS MFA (Android), and Authenticator (Windows
Phone 7). Once you’ve downloaded the app, return to the Dropbox window and scan
the on-screen barcode to enroll your phone. Next, Dropbox will ask if you want
to enter an optional backup mobile phone number, so you can receive a code if
the app isn’t functional.
Once you log in using the two-step authentication,
Dropbox lets you set up the web browser and PC as a trusted source. Within your
account settings, you can see the entire list of approved PCs, too. The process
is simple and quick, too.
PayPal.
It makes a lot of sense to use two-factor
authentication for managing your online finances. Like the other services we’ve
covered, PayPal accounts can be protected by a code sent to your mobile phone.
However, PayPal also gives you the option to purchase your own hardware token.
Called PayPal Security Key, the token is the size of a
credit card and costs $29.95. PayPal won’t charge you to receive a OTP code via
your mobile phone.
To set up SMS-based two-factor authentication, log in to
PayPal and click the Gear button. Select the Security tab and click the Edit
button next to Security Key. Click the Get Security Key link, which will bring
up a page where you can enroll your mobile phone. Enter your phone number, and
PayPal will send you a text message with a confirmation code. Click the Agree
And Register button, enter the six digit code, and click Activate. The next
time you log in, PayPal will prompt you with an Enter Security Code window
where you’ll need to click a Send SMS button and enter the confirmation code.
PayPal doesn’t currently offer a way to trust a device, which means you’ll need
to enter the extra authentication code every time you log in.
Two Factors
Everywhere
There are plenty of other websites that offer two-factor
authentication, including Apple, Evernote, Yahoo!, and LinkedIn. If you haven’t
already made the move, we recommend that you consider the additional security
of two-factor authentication for any online service that stores your personal
information. Most online services offer a way to save a device as a trusted
source, so the process isn’t too time-consuming after the initial setup. In the
digital security arms race, it’s nice to have any option that puts us in more
control of our account security.