2-Factor Security!

Two-Factor authentication. Do you use it? A lot of IT professionals don’t use either:

  1. A password manage, nor
  2. 2-factor authentication.

It’s surprising to me because 2-factor authentication is becoming more and more widely implemented for web services. Banks in the UK consistently use multi-factor authentication. Most consumers will have already experienced 2-factor (or multi-factor) authentication. Facebook, Google, LinkedIn, Twitter, all offer 2-factor processes.

Multi-factor authentication is just a fancy word for a login process that asks you for more than a password alone.

Something in your head, and something in your hand
Multi-factor merely means more than a password. Sources: http://tinyurl.com/zn5l3ej http://tinyurl.com/gphmv4k

It is widely recognised that a password is pretty weak . We all abuse passwords, and it is pretty easy to capture another person’s password. For years and years, security researchers have been trying to strengthen online verification processes. Multi-factor is something that has emerged as a practical measure to improve your online resiliency. Emphasis on the word **practical** .

Multi-factor (2-factor, 3-factor, 4-factor…n-factor) authentication provides you with an extra layer of protection on top of password protection that puts multiple layers of access control around your account.

For instance, with 2-factor access enabled on Twitter, when you sign in from a new-device, Twitter asks for:

  1. Your password, and
  2. The code (6 digits?) they text to your phone.

An attacker needs to have your password and your phone to get into your Twitter account. It isn’t impossible to get both, but as you add more layers (multi-factor == n-factor authentication), then it becomes progressively more difficult for you to loose control over your account.

The time investment to get set-up with usable 2-factor authentication isn’t much. Just poke around the Account or Security section of a website, and you’ll often find that you can enable 2-factor.

OK…so Donal, it seems like an O.K. idea, but I’m lazy…

Sure, me too.

Practical tips

  1. Strengthen your passwords by using a password manager. You want a manager that is available on all your devices. I recommend Lastpass.com.
  2. Focus on enabling 2-factor authentication on websites that are important. Social media platforms, email accounts, password managers. (Physical devices, like your laptop, can also have more than a password.)
  3.  Use Authy. This little device can store all those separate 2-factor tokens into one place. It’s like a password manager, except it is for 2-factor authentication.
authy.com logo


Give me a little more…

Infographic on the four common types of authentication. Something you have, something you know, and biometrics

If your password security sucks, here is what to do about it….

Please share your clever work-arounds in the comment section.

Passwords are a total pain. Yep. Everyone, largely, hates having to remember them. And they have a nasty habit of catching you out when you don’t expect it. Have you not logged on to that dodgy, forgotten laptop in the bottom-draw of your office in the past 6 months? Well, if you have/haven’t, hopefully, you can remember the password. But, wait, if you go to actually try it and it rejects you, well, what was that password? Ermm, yeah. You’re quite, quietly, ignominiously stuck. It might take a little bit longer to remember it. How about trying to type every password you’ve ever used? ….Nope….Oh dear.

Sometimes, don’t you hope for a better alternative? I can’t give you a solution to that dusty-old laptop-problem. But, if you are someone who is fed up trying to remember the password for this-or-that website, (admit it, you’ve only used most websites you’ve put in a password for, once or twice, so you just have a password you use for all of those little sites) then I’d highly recommend getting a Password Manager. Yep, a PASSWORD MANAGER. GET ONE.

(It is actually cheap-to-free, and a good one is pretty easy to work with.)

Personally, I recommend Lastpass. It is super handy. It is, genuinely, a piece of software worth paying for. It is a piece of software that will make you — once you get the hang of it — never want to go back to the old method of relying upon your failing squidgy bits. Brains just aren’t meant for remembering passwords in a secure way. (Numerous studies and practical reality show.) And, it is hard to replace passwords with anything else. AND, EVERYTHING USES PASSWORDS, basically.

I also recommend two-factor authentication. But, for some people, and in some situations, it’s annoying. Don’t worry about that yet. A Password Manager, for those without either, is a more important bit of kit.

I’ll write another post later, giving a bit more detail, about how to use a Password Manager, and perhaps I’ll compare some of the current offerings. But, this is just a quick tip. If you are having trouble with passwords — or you suspect that ‘EverybodyLovesRaymond’ isn’t a secure password because you’ve used it for the last 7 years on every sad-scrap-of-a-site you’ve visited — then something like Lastpass is well-worth your time. Check it out. Honestly. Life-saver.