Use Two-Factor Authentication
For many years, passwords have been our primary means of authentication — the way we prove our identity to access a restricted resource, like our email or an account with an online shop. As long as you’re the only person who knows the password, your account remains pretty safe.
But the secrecy of a password can be compromised in several ways. First, you might be tricked into disclosing it by phishing (see Recognise Social Engineering). Second, someone might guess it, or write software to automatically make millions of guesses until one is correct (see Use Strong, Unique Passwords). Finally, it might be leaked in a data breach (see Accept That Data Breaches Happen).
As we depend increasingly on online transactions, and store more of our data in the cloud, the idea that a humble password stands between our private information and the rest of the world is becoming less acceptable. Even for the most careful and savvy among us, the risk of compromise is just too great to rely solely on passwords to protect our most important accounts.
A familiar concept
Think about chip and PIN. It makes your bank account more secure because you need two different things to use your debit or credit card: something you have (the card) and something you know (the PIN).
Previously, just having the card was enough. Anyone who obtained it could go shopping — assuming they could roughly imitate your signature (and doesn’t the idea of comparing signatures seem primitive now).
Chip and PIN is the most familiar form of two-factor authentication (2FA), but a similar approach is now common for online accounts. Most major email providers and social media platforms now support two-factor authentication, as do many online shops, providers of financial and healthcare services, and government websites.
Some services call it two-step verification, and you might also see the more general term multi-factor authentication; they’re the same thing.
I often say – humorously, but with complete sincerity – that two-factor authentication is just a few small steps for you, and one giant leap for the security of your accounts. Once you’ve set it up, it will go a long way towards keeping hackers out, without inconveniencing you from day to day. One study by Microsoft found that multi-factor authentication blocked more than 99.9% of attacks on accounts. It’s not often an invention proves so effective.
Two-factor authentication is best understood with a worked example.
Imagine you have a savings account that you can access online to deposit or withdraw money. You already have a password — it’s the ‘thing you know’. To keep your money safer, you very sensibly decide to turn on two-factor authentication, using your mobile phone as the ‘thing you have’.
To do this, you must prove your ownership of the phone using a process on the bank’s website. One way is to enter your phone number, via which the bank will text or call you with a code. You then type the code back into the website, thus proving you received it.
To further increase security, there’s usually a short time limit within which you must enter the code. If you run out of time, don’t worry — there’ll be an option to request a new code. Most companies know that two-factor authentication can be daunting and inconvenient, and they try to make the process as accommodating as possible.
If you have a tablet or smartphone, you may additionally install a free app called an authenticator. To set this up, rather than prompting for your phone number, the bank’s website displays a QR code — like a two-dimensional barcode. The app activates your device’s camera, and you point it at your computer screen to ‘scan’ the code.
Your account is now protected by two-factor authentication.
Next time you want to check on your savings, you visit the bank’s website and enter your password in the usual way. The password is accepted, but an additional step is required before you can see your account.
The bank texts or calls you with a one-time passcode that’s valid for a short time and can be used only once. Alternatively, if you have an authenticator app, you simply open the app and note the passcode that’s currently displayed. Knowing this code proves your possession of the phone — a pretty good way to verify that you are who you claim to be. You type the code into the website, and your bank account opens.
The site may offer to remember or ‘trust’ your particular device so you don’t suffer the inconvenience of performing two-factor authentication every day.
Now imagine a third party guesses your password, obtains it from a data breach, or tricks you into disclosing it via phishing. Their goal is to use their computer to log into your account and steal your savings.
First, the bank’s website prompts for your password, which the attacker knows, so this step succeeds. But because their computer is unfamiliar, the site then prompts for a one-time passcode — which is sent, of course, to your phone. The attacker is thwarted because they cannot proceed without the code.
What you can do
- Enable two-factor authentication on your email account. It’s your most important account, because not only does it contain a great deal of information about you, but a third party with access to your email can in turn gain access to your other accounts via their ‘forgotten password’ facility (consider that you typically reset a forgotten password by receiving an email with a code or a link to click).
- Ideally, enable two-factor authentication on other accounts that offer it.
- Don’t rely on just one second factor, especially for important accounts. If an account allows, enrol multiple phone numbers and email addresses along with an authenticator app on your tablet or smartphone.
For several generations of Brits, TOTP stood for Top of the Pops. In information security, it stands for time-based one-time password. This is an open standard adopted by the majority of organisations offering two-factor authentication, which means you can use a single authenticator app with multiple accounts. For example, you might use Microsoft Authenticator not only for Outlook but for Facebook and PayPal too.
TOTP generates codes based on the date and time of day. This means that even if your phone has no signal or Wi-Fi, you can still get a code from your authenticator app. The code changes on an interval, usually thirty seconds. However, to allow for imperfect clocks – and the time it takes you to read and then type the code – it usually doesn’t matter if you enter a code that’s very recently lapsed or, if your clock is fast, one that’s been generated a bit sooner than it should have.