Spotlight: What is Multi-factor Authentication? Where and why should I use it?

Posted November 8th, 2017 at 10:49 am.

Example of Dropbox two-step verification dialog: "Two-step verification adds an extra layer of protection to your account. Whenever you sign in to the Dropbox website or link a new device, you'll need to enter both your password and also a security code sent to your mobile phone."

Dropbox Two-Step Verification: Hands On | PCWorld pllqt.it/llwc7e

Have you ever had an online service encourage you to enable an additional layer of login security?  Like many of us, you probably thought “my password is good enough,” “that sounds inconvenient,” or “why would I want that?”

It’s true you need strong passwords (and a good way to manage them).  But are they enough?  Minimum password lengths are discussed at security conferences each year, and it becomes easier each year to quickly crack longer passwords.

What the  National Cyber Security Alliance (NCSA) calls “strong authentication” – more often called 2-step verification, multi- or two-factor authentication (MFA or 2FA), or login approval – provides an extra layer of security beyond your username and password to protect against account hijacking. Many popular online services, including email, file storage and sharing, and social networks, offer this option.  The idea is to make sure the person accessing the account is actually you.

These types of strong authentication are made up of at least two of the following:

  • Something you know: a password, PIN, zip code, or answer to a security question
  • Something you have: usually a physical object like a phone, credit card, or digital device (there are many types), but some services use access to an additional digital resource (like an alternate, unconnected account or an online authenticator service)
  • Something you are: a biometric such as a fingerprint, retina, face, or voice

Some services have multiple options where you can provide any two of several identified sources.  Some use methods compliant with the Universal 2nd Factor (U2F) standard.

You might not realize it, but you regularly use two-factor authentication. When you swipe your debit card and are asked to enter your PIN code or write a check and are asked to show your driver's license? Each is a form of two-factor authentication. The first example requires you to possess your card and know your PIN code. The second requires you to possess your checkbook and prove your face matches the mugshot on your ID. Why is it important to protect my online accounts?

Statistics on number of accounts hacked is staggering. According to Pew Research Center, “A majority of Americans (64%) have personally experienced a major data breach.” However, an account holder won’t always know a breach has occurred.  Omri Toppol at LogDog writes, “With a silent hack, you’ll have no idea that a cybercriminal has access to your account and may be watching your every move. You may keep using your account for weeks, months, or even years without knowing it’s been hacked. Meanwhile, the hacker has access to all of the private information you may have stored in the account, and can abuse it in various ways.”

One of the most common things people say to technologists when choosing not to use stronger passwords or authentication options is (a varient of) “I don’t really have anything secret or special, it doesn’t matter if I get hacked.”

In her Article “Hacked Email: Why Cyber Criminals Want to Get Into Your Inbox,” Cristina Chipurici of Heimdal Security challenges the assumption that online accounts don’t contain anything of value.  She challenges readers to really look through an email account and see what personal information might really be exposed. The average person will be surprised by what they find. She goes on to say:

“And our emails are interconnected to all our other digital accounts, from bank accounts to social networks (LinkedIn, Twitter, Facebook, etc), cloud services (Google Drive, iCloud, Dropbox), online shops (Amazon, for, ex, where you most likely saved your credit card details as well) and so on.”

Now more than ever, as our digital footprints grow exponentially, we need to take personal action to preserve our online freedoms. Why? The Internet benefits and belongs to all of us — thus it is our joint responsibility to protect it.Privacy is also important to maintain, even in a world where it is so easily traded away for convenience.  Chipurici points out the monetary value of your data, but her points are just the beginning. In “Why You Should Care About and Defend Your Privacy,” Lifehacker and the Electronic Frontier Foundation teamed up to explain this critical issue and its effects.  The EFF is “is the leading nonprofit organization defending civil liberties in the digital world.” George Washington University Law Professor Daniel J. Solove teaches and writes on privacy issues.  He says “Why does privacy matter? Often courts and commentators struggle to articulate why privacy is valuable. They see privacy violations as often slight annoyances. But privacy matters a lot more than that.” He goes on to articulates 10 reasons that privacy matters.

Two-factor authentication is a must-have for: online banking online shopping (Amazon, PayPal – though it’s only available for a few countries) email (Gmail, Yahoo, Outlook) cloud storage accounts (Dropbox, Box, Sync) accounts on social networks (Facebook, Twitter, Linkedin, Tumblr) productivity apps (Evernote, Trello) password managers (LastPass) communication apps (Slack, Skype, MailChimp)How do I get started?

Glad you asked!

  • LockdownYourLogin.org has a simple reference to get started, including instructions for several common services (Facebook, Dropbox, iCloud, etc.)
  • iMore has some additional information, and instructions for a few more sites.
  • The Verge also has some additional information, and instructions for a few more sites.
  • Didn’t find your favorite online service?  Check directly with that service, or search for it at TwoFactorAuth.org.

Many services provide some variant of authentication protection.  If your favorite service doesn’t, you should encourage them to do so, or choose another service that takes protecting your data more seriously.

Learn more about two-factor authentication at https://www.turnon2fa.com/.

Filed under: Announcements Tags: by Amy Pearlman

Comments are closed.