Mike Cleckner
Software Engineering | Project Management • Software Development • Quality
Assurance
linkedin.com/in/mcleckner
linkedin.com/in/mcleckner
Have you ever heard of two-factor authentication and thought
to yourself, “What the heck is that?”
Well, you can Google or Bing or Yahoo or Duck-Duck-Go it and
find out more technical details. I’ll give you the high-level,
person-on-the-street explanation in this blog post. I’ll start off by saying
that I am not your cyber security expert. I don’t have thirteen letters after
my name endorsing my cyber-security credentials. I’m just practical and curious
and I did some searching on the web. I’m a geek and a techie. You need to be
responsible for yourself and your cyber-life. Take what I write here as a
starting point for you to research more into the topic and decide if it is
right for you. You need to do some leg work. This is simply an introduction.
What is two-factor authentication?
Two-factor authentication is defined on Wikipedia (https://en.wikipedia.org/wiki/Two-factor_authentication)
as:
…
provides unambiguous identification of users by means of the combination of two
different components. These components may be something that the user knows,
something that the user possesses or something that is inseparable from the
user.
In your everyday life, the example is the PIN for your ATM
card. The ATM card is your first level of authentication: it tells the machine
that you have a bank account, the bank, etc. Your PIN (which shouldn’t be
written on the back of the card!!!) is the second level of authentication. Another
example is when you call your Health Insurance provider and they ask you to
provide your mailing address, date of birth, and the last four digits of your
social security number. Hopefully, knowing all those things in addition to your
account/member number ensures you are who you are supposed to be.
So two-factor authentication boils down to using a primary
and secondary method of verifying that you are who you say you are and that you
should have access to this service. For services on the web, it gives you a
second level of verification to ensure that you should be accessing the web
site. This means that if someone managed to guess or steal your password, then
they won’t automatically gain access to that service because they don’t (hopefully)
have the second layer of security.
What is that second layer?
Well it depends. For some web sites/services like Gmail, you
could use a text message sent to your cellphone with a code or a token
generated by an application or a phone call to your phone telling you the code
to enter. It can vary from provider to provider; service to service. Basically
it boils down to, some other method to ensure that the person trying to access
your account/service is you. These secondary validation methods are tied to
something that you (ideally only you) have access to or would require a really
bizarre set of circumstances for a non-authorized person to have access to
(like
you left you cell phone, with no lock code, that you use for the
secondary method validation sitting next to your laptop in Starbucks when you
went to the counter for another scone).Isn’t this just going to be a pain for me? I don’t want to go through this EVERY time I log in.
Well, yes. It can be a pain, but nothing is for free right?
If you want the extra security, then you’ll have to deal with the extra 5 or 10
seconds to get the secondary access-code and enter it. Boo ho, was that REALLY
so bad?
Seriously, depending on what device you are accessing the
service from and the kind of two-factor authentication the service provides, it
is possible to tell the service to “remember” you on this device. This way you
don’t have to go through the whole process again. That sounds like a great
idea, right? Well, sure it is convenient, but you should think twice about what
devices you enable that on. If you carry your laptop around with you, then
maybe it would be better to deal with the extra layer of authentication just in
case you happened to leave your laptop somewhere. With your desktop at home (or
your laptop at home that never gets to go anywhere), it probably is safe to
have the service “remember” you. If nefarious
computer hacking ninjas decided to invade your home and take your
computer,
then I guess it might not have been a good idea. On the plus side, if you find
out that your authenticated (i.e. stop asking me for the secondary password!)
device is stolen or lost, then you should be able to reset the service’s two-factor
authentication. That means it won’t “remember” that device anymore and ask
whomever is trying to log into the service for the second layer of
authentication.
Many of these service also provide multiple ways to get that
second authentication token/code. Let’s say that your primary way to get the token
was a text message to your cellphone, but you forgot to bring it with you, then
another method can be used.
(I can’t imagine that you would actually do that. I’m sure
you got 30 minutes away from home and panicked. “Where’s my cellphone?” And
motored right back home to get it.)
Sometimes this is a set of a dozen one-time codes that you
print out and put in your purse or wallet; or it could be a phone call to
another number. Review the two-factor authentication abilities that are
provided by the service. There should always be at least two ways for you to
get that token/code. Just in case.
So why should you use two-factor authentication?
For security. For peace of mind that someone isn’t into your
Gmail or sending out Tweets from your account or messing with your LinkedIn
profile (You were a circus clown for three years. Interesting.) or defacing
your Facebook profile. You probably don’t need to worry about it, unless your
password is “password” or “123456” or something easy to guess; or you are some
high profile person (like Taylor Swift, Jerry Seinfeld, Joe
Rogan, or Alison Krauss) that would make you a “fun” target, but why not add
that extra layer of security?
For most of us, it is a non-issue until it is an issue.
Until some bozo hacks into some website’s backend server and lifts the account
information. Seems to me that just happened to Last Pass (https://blog.lastpass.com/2015/06/lastpass-security-notice.html/),
although don’t worry because your password wasn’t exposed (uh huh). So why not
just use it at least for the services that you really care about. I recommend
at least your email account (especially if it is the one you use for “I forgot
my password”) and whichever social media service you really, really, really
love and use frequently.
I use it wherever it is available.
Next Steps?
Right. Where are the step-by-step for whatever service
instructions? That’s right, I didn’t do that. Take a moment and simply search
the internet for
information on how to do it for whatever service.
(We are living in the information age for Pete’s sake!)
Pretty much EVERY popular service on the web
has this wonderful thing called HELP. Click on that and then search for “two-factor
authentication”. Or use your favorite web search portal and type “two-factor
authentication <service>”.
For example “two-factor authentication twitter”
(Here’s my search for that -- https://duckduckgo.com/?q=two-factor+authentication+twitter)
and go with the result actually from that service (Here’s one from my results for that
-- https://blog.twitter.com/2013/getting-started-with-login-verification).
So look into it some more. Check out what is provided by
your service and set it up. If you don’t like it, then you can just disable it.
No big deal.
What’s the worst thing that happened?
You learned something new
and tried it out.