Two-Factor Authentication - the most important thing you can do to keep hackers out of your accounts



I’d like to start by apologizing for not doing this blog sooner as I think it’s one of the most important steps to lockdown your online life. That said, let’s get you protected.

Online accounts, whether it’s a social media account like Twitter, a cloud storage account like Box, or an online banking account, are huge targets for hackers. The reason is efficiency: it’s harder for hackers to find your devices in order to gain access to your accounts than it is to go to a webpage and find a login screen for your account.  

Once they get to the login screen, they begin password cracking which is using software to throw a mathematical kitchen sink at your password and user name to see if the software can guess it. The shorter and simpler the password, the less time it takes to crack.  And once it's cracked, they’re in.

But if you enable two-factor authentication, it won't matter if they crack your password. Two factor authentication is like requiring two keys on the submarine to launch the nuclear missile. You have to have both keys and turn them at (relatively) the same time. The first key is your password - the second key is an app (usually free) or a device that gives you a code to enter or a button to push to verify it’s you. This means that even if a bad person guesses your password, he/she still can’t get in unless he/she steals your two-factor authentication code or device which is usually extremely hard to do.

So how do you protect your accounts with two-factor authentication? 

1. First you need something to provide the two-factor authentication. The easiest way is to download a free app on your phone. Some examples are Google Authenticator, Symantec VIP, and Duo Mobile. Be wary of less popular apps - use with one that’s approved by either Google Play Store or Apple’s App Store.

You can also use a physical token, or device that will either read out a code to you, like RSA’s SecurID, or that you plug into your computer and tap like FIDO U2F Security Key. These cost money and a bit more time to set up.

2. Next, link your two-factor authentication app with your account (we’re just covering apps here because they’re free and easiest to use). To do this, you’ll log into your account, go to your account settings, and then use your new two-factor authentication app to scan a code. For instructions on how to do this, check out turnon2fa.com and search for your account - it’ll walk you through the process step-by-step. 

CAUTION: Some accounts only allow you to do two-factor authentication by sending a text message to your phone. While this is considered much less secure than an app, it’s still much better than not doing it at all. To check whether your account has two-factor authentication and if so, what kind it uses (app or text message), look it up at twofactorauth.org.

And that’s it! With a couple easy steps, you’ve locked down your social media account, bank account, cloud storage account or other online account and made it REALLY hard for hackers to break in.

Next time you login, your account will prompt you for a code from your two-factor authentication app or token which you’ll enter to login. You may ask “Why don’t these companies prompt me to turn this on as soon as I create an account?” Mainly because they think that you’ll end up determining that it’s too much work and it will discourage you from using their accounts. I have more faith in you than that.  I think that, now that you’ve been armed with this knowledge, you’ll likely be hesitant to use an account that DOESN’T offer two-factor authentication - and you should be. 

Does this create one extra step to login? Yes - but two-factor authentication apps are making the process even easier. Google Authenticator gives you an option to tap a button on your app instead of entering a code. Also, most accounts will give you the option to “recognize this device for 30 days” so that if you login through a device you regularly use, like your laptop, you won’t have to enter a code every time you login. 
WARNING: do NOT use this option if you access your account via a shared or public computer, which I don’t recommend doing in the first place.

Two-factor authentication is simply the best thing you can do to keep hackers out of your online accounts - I recommend you do it for any account that offers it and start with the accounts that are most important to you. 

I hope this was easy to understand and to accomplish. If it wasn’t or you have more questions, tweet your question @enabld and we’ll answer it. 

SHAMELESS PLUG - SIGN UP FOR OUR BETA:
ENABLD is building a free website that organizes cyber self-defense tools, including two-factor authentication apps and devices, so that you can understand what they do and find what you need to stay safe. But we need your help and feedback to make sure that it actually helps you protect yourself. Sign up for our beta and be the first to give it a look and tell us what you think - you’ll be helping not only us to make something great for you, but all of the others who need help staying safe online.


- By Matt Lembright

Thank you to my wife Lauren for reading drafts of this.

Comments

Popular posts from this blog

Cybersecurity CEOs: find your "big why" or get out of the way

Zuckerberg moved too fast, and it broke

What Facebook Must Do To Regain Our Trust