Two factor authentication is not the be all end all of authentication measures but, it sure beats using just a simple password. Security practitioners have long lamented the issues that passwords bring with them. Yet here we are.
I personally use a password management application to keep track of all of my credentials. To put this in perspective, I currently have 240 passwords recorded so that I don't have to remember them off hand. Not that I could unless I was using the same password repeatedly. If you do this...please put your hand up and I will be around shortly to slap you. Why would you use the same password to secure you online banking as you would for your Twitter account? Seems odd when you say it out loud, no? Also, leaving your password on a post-it note under your keyboard is universally frowned upon. This is where two factor authentication (2fa) can help out.
From The Guardian:
Of the solutions available, many are turning to SMS-based mobile authentication to augment their existing systems. An obvious choice, SMS-based two-factor authentication (2FA) is so appealing because of its user friendly nature, economic cost structure and security effectiveness.
However, despite acknowledged security concerns over social media, high levels of account hacking and theft of personal data, the general public are slow to accept the move to SMS-based 2FA.
We have seen many stories of social media accounts being compromised in the news. Twitter has historically been a significant target in this regard with threat actors such as the Syrian Electronic Army or SEA who targeted accounts such as President Obama's
A post from the compromised account,
A Twitter account belonging to the Syrian Electronic Army tweeted several anti-Obama messages, including: "Obama doesn't have any ethical issues with spying on the world, so we took it upon ourselves to return the favor."
So, with two factor authentication available for a lot of these services, why aren't you using it? To be fair it isn't that difficult to set up. Imagine if a hacker managed to access your email, or Twitter account and start sending out malicious software or saying damaging things. Might give you pause to think, "two factor authentication you say"?
Here are some companies that are taking the time to try and help keep you a little more secure online.
Google "During sign-in, you can tell us not to ask for a code again on that particular computer. From then on, that computer will only ask for your password when you sign in.
You'll still be covered, because when you or anyone else tries to sign in to your account from another computer, a verification code will be required."
Twitter "This is a form of two-factor authentication. When you sign in to twitter.com, there’s a second check to make sure it’s really you. You’ll be asked to register a verified phone number and a confirmed email address."
Evernote "What makes two-step verification powerful is the six-digit verification code. This code is delivered to your mobile phone via text message or, if you prefer, generated by an app that runs on your smart phone, such as Google Authenticator. We’ll also give you a set of one-time backup codes for when you’re traveling."
Github "When logging in to GitHub, after providing your username and password, you will be asked for a two-factor authentication code that is delivered to your mobile device via SMS or a free two-factor application. This additional step ensures that a malicious person who has discovered your password will not be able to log in to GitHub as you."
Dropbox "Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account. Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox or link a new computer, phone, or tablet."
LinkedIn "Turn on Two-step verification for your account now by going to Settings, selecting the Account tab and clicking Manage security settings option."
These are just some of the examples of sites that offer this as a free service to help protect you. It takes a few minutes to set up for each site site in turn. Question is, is a few minutes worth it to you to protect yourself online?
This begs the question, why do so few people take advantage of this service offering? Well, it appears that's because a lot of people just don't understand what two factor authentication is.
From The Guardian,
This point is well made in answer to the question: "Do you know what 2-factor authentication or 2-step authentication is?" 77% of respondents in the UK said that they do not understand the term. The replies were remarkably consistent in other parts of the world too – 79% in Russia, 78% in Brazil and 72% in the US.
Security awareness is a problem that needs to be tackled with more enthusiasm. As an example I was once confronted with a manager for an application development team who was seething at me because he insisted that two factor authentication was "username and password". At that very moment I knew that I had my work cut out for me. This would constitute single factor authentication in that the password is something you know. You would need to add a second element such as something you have. In this case, a number generated by software that changes each time you login. To visualize it, if you open the door to your house with a metal key normally you'd enter a code as well.
Sure, there are technical implementation issues for website operators but, what I'm discussing is that from the point of view of the average end user. The end user really doesn't really care about that. Much in the same vein as a pizza delivery guy complains that they're really busy when he arrives with your pizza 30 minutes late and cold. How sympathic do you think the customer will be?
Users want to be more secure and really aren't interested in how it gets to that point. So, we as security practitioners need to do a better job of explaining this and other security issues to the wider audience. We need to move beyond the echo chamber.
(Image used under CC from Thijs van Exel)