News broke last week that a Russian crime syndicate had amassed the largest known collection of Internet credentials, including 1.2 billion username-and-password combinations. The collection also included 500 million email addresses and confidential material from 420,000 websites across the world. The size of the victim sites ranged from Fortune 500 companies to people running simple websites out of their homes.
Events like these expose one of the weaknesses of relying on simple passwords for access to online services that we use every day. The average Internet user has more than 30 accounts at various online services, and using the same password at any or all those sites means a security failure at one site puts the information at the other 29 at risk.
Thanks to events such as this, Two-Factor Authentication, sometimes abbreviated 2FA, is gaining momentum. 2FA has been around for decades, but it only recently has become accessible to the general public.
There are generally three factors that can be used to grant access to a system:
» Something you know (passwords).
» Something you are (biometrics, such as retina or fingerprints).
» Something you have (a card or some other token).
2FA uses a second factor in addition to your password before access to a site is granted. Usually this second element is something you have. ATM access is a classic example of 2FA. It takes something you know (your PIN) and combines it with something you have (your ATM card). It does no good for a thief to have your PIN without your ATM card, and vice versa.
Within the past few years, the concept of 2FA has gained critical mass, and now many websites support it. But clearly, website operators cannot send ATM-like cards to everyone who signs up for their service, so how do they accomplish it? With something practically everyone already has: phones. Some of the most popular Web services now support 2FA by sending a code via text message to the registered account member’s phone when it sees them logging in from a computer they haven’t used before. The person logging in must type that code into the system before access is granted. If the hackers don’t also have your phone, they cannot log into the system, even if they have your password. Your password is useless without the second factor. Once the person logs in on a computer with the code, that computer is registered in the provider’s system, and the user is not generally prompted for it again so it doesn’t add an undue burden.
Those without cellphones or messaging features can request a call instead of a text. Some sites can send the code to an email address. There are also hardware tokens that produce a code every 60 seconds, and smartphone apps that do something similar, but for most cases the text to the cellphone is a great solution.
Enabling this stronger authentication is the single best thing you can do to secure your online accounts. All the major email providers (except AOL) support 2FA, as do most social media sites, like Facebook. To see whether your online service providers support 2FA and site-specific instructions on how to enable it, go to twofactorauth.org.
Hawaiian Telcom Information Security Director Beau Monday is a local cybersecurity expert. Reach him at Beau.Monday@hawaiiantel.com.