The second part of my blog series on staying Secure on the Internet is about something that most people don’t do and that is using two-factor authentication when logging into websites. Most people believe having a secure password is all you need to stay protected online. But that is not true anymore a secure password can be compromised just like an insecure password. Two-factor authentication adds another layer of security and has been put in place for most popular websites like Google, Facebook, Twitter, and Dropbox.
Two-factor authentication takes the process of basic authentication which is proving you are who you say you are. Basic authentication is normally in the form of a username and password, but that is just one of the factors of authentication. What you know (i.e. username and password) is the first factor of authentication. Another authentication factor is what you have and this is normally used in two-factor authentication. What you have is usually a token number generator in the form of a key fob or an app on your smart phone. The token number changes every 60 seconds so the number you enter online has to match the number in the generator for the login to be authenticated. This means that for someone to login as you they would have to know your username and password and have a valid token code.
Because so many well known sites are being hacked and user account information is being stolen many larger websites have started to implement two-factor authentication. Most of the websites that implement two-factor authentication use your Smartphone as the second method of authentication. Websites use your Smartphone as the second authentication factor by either using apps that generate the token code or by messaging you the token number need to login.
Google use of two-factor authentication use their own Google authenticator app which generates a token that is need to login to any Google service for an unknown computer. This can become annoying if you access Google services for different computers but it will protect your Google account. Facebook, Twitter, and Dropbox perform two-factor authentication differently. When you enable two-factor authentication for these services you are required to give you cell phone number and the token code is sent through SMS to the cell phone. I don’t like this method as compared to Google’s because not only does it use your messaging but it doesn’t seem secure to have the token code texted to you.
I have just started using a web application to login to these sites and perform the two-factor authentication. Duo Security is a security company that lets you setup two-factor authentication with tons of VPN services, Web platforms, Windows, and Unix. What I think is cool about Duo Security is that you can have all the services that you want to protect with two-factor authentication in one spot all handled by one web service. They have a free service for someone who wants to use it for themselves and they offer business services for companies that need to implement two-factor authentication. I started using this service after it was recommended by a friend who wrote a blog post all about the service and how to set it up.
Dup Security makes it easy to setup two-factor authentication on popular web sites and once you have enabled the service you can download the app on your smartphone called Duo Mobile. And once you have the app and have setup the accounts you can use it to login. When you want to login depending on the web service you can go to the app and get the six digit code. Or for some web services like WordPress you can use Duo Push which will send a notification to your phone and you can hit allow or deny and this acts as the second authentication factor. This is the first time I have seen this type of two-factor authentication and it seems like a good way to authenticate. The only problem I have run into with Duo Push is when my phone was connected to wireless but not the data network the duo push would not go to my phone. This makes me think it use the data service to send the authentication to your phone and it could be an issue if you don’t have a data plan or decent cell coverage. But in the case the Duo Push will not work you can still use either the passcode sent via SMS or a passcode generated with the Duo Mobile app on your phone. The fact the service has three different methods to get the passcode and authenticate is very reassuring.
There are many different web services that will help you setup two-factor authentication. It doesn’t matter which service you use it only matters that you have two-factor authentication. Having the additional factor will not make you accounts bulletproof, but they will drastically improve your account security. Even though using two-factor authentication will make it harder on you when you want to login to your account it will also make it harder for someone to login as you. Computer security industry is always changing and improving and everyone knows passwords are not a perfect way of protecting your account but until the next generation of authentication is released it is essential to make your online accounts as secure as possible. I hope you all use two-factor authentication whenever possible and that keeps you secure and your accounts from being compromised.