#two factor

There are a number of ways that you can protect yourself online, and one of the things you can do is to start using two-factor authentication.

You probably have seen two-factor authentication even if you aren’t sure what it is. For instance, if you do online banking, your bank might text a code to your phone or email when you try to change the password. This is two-factor authentication. It’s basically just an extra step that confirms that you are the account owner. This makes it more difficult for hackers to get into your account, too. Not only do they need a password, they also need access to your smart phone or email account.

These Critical Websites need Two Step Authentication

Most large websites have the option for two-factor authentication. Each company name is linked to their specific instruction. Here’s how to set it up:

Apple ID

You can use two-factor authentication on your iCloud, iPhone or iPad:

Click on “Settings,” “Security,” and then “Turn on two-factor authentication.”

Enter a phone number

Look at your text, enter the code, and you are good to go

Facebook

Log into your Facebook account. Click on “Settings,” “Security and Login.”

Choose “Use two-factor authentication,” and then click “edit.”

Select the method. There are several options including texts, apps, and code generators.

Follow the instructions shown on the screen.

Click “Enable.”

Gmail

You can set up two-factor authentication for Gmail and Google accounts.

Navigate to the Google page for two-step authentication.

Click “Get started.”

Follow on-screen instructions to turn the feature on.

Yahoo

Sign into your account

Click “Account security.”

Look for “two-step verification,” and make sure it’s “on.”

Enter your phone number, and choose text message or phone call

Enter the code, and then click on “Verify.”

Instagram

If you use Instagram, you can also set up two-factor authentication:

Log into your account on Instagram.

Navigate to your profile and choose your operating system.

Scroll down until you see “two-factor authentication.”

Click on “require security code.”

Enter a phone number if one is not there. Click “Next.”

You will get a code to your phone. Enter it, and then click “Next.”

Twitter

If you use Twitter, you can also set up two-factor authentication. However, there are different steps to take depending on how you access the site, either from a laptop or PC, an iPhone, or an Android. You can learn about setting two-factor authentication up by visiting the Help Center.

Here are a few more important sites that require a more in-depth explanation:

Linkedin

Paypal

Ebay

Amazon

Data security is a major concern for any organization, whether the concern is for internal employees or external customers. Everyone needs to be able to limit access to potentially sensitive data, and this is accomplished using accounts. However, accounts require users to authenticate and prove their identity, and this is where everything tends to fall apart.

For data protection, the password has been the go-to for ages. Even before computers, passwords were used to prove membership in a group or gain access to a speakeasy during Prohibition. People keep using them because they make sense and they tend to work.

However, passwords on the Internet tend to be insecure. It’s not their fault, people simply use weak ones and reuse them across multiple accounts. This is understandable since the average user tends to have dozens of different accounts, and memorizing a unique, strong password for each isn’t feasible. There are solutions for this (like password managers), but people rely on their memory in many cases, putting passwords in a state of crisis.

The failure of several “password killers” means that they’re still around, so solutions have been developed to help. Two-factor authentication, for instance, requires a user to provide an additional factor (usually a one-time code) to authenticate to an account. Since an attacker would need both the password and this other factor to gain access, passwords become a bit less vulnerable.

The Types of 2FA

Two-factor authentication isn’t a “one size fits all” solution. Many different types of 2FA exist, and the effectiveness and convenience of the solution depends on the type used.

One of the most commonly used types of 2FA uses SMS messages. When you try to authenticate to a website, it sends a code to your phone that you need to type in. While this type of 2FA is better than nothing, it can be circumvented by attackers in a variety of different ways. One of the most commonly used methods is to perform a SIM-swapping attack, where a hacker walks into a branch of your cell phone provider and requests a new SIM card for your phone number. If they succeed, they now have control of your number and can receive your 2FA messages. This technique has been used to steal millions of dollars in cryptocurrency (like Bitcoin). There are also variations on this version like receiving a phone call with the code, but these are less common.

Another common version of 2FA uses email to send you your code. While this is better than SMS-based 2FA, it involves putting “all your eggs in one basket”. In most cases, the way to reset a forgotten password on an online account is by having an email link sent to you. If done properly, this password reset will also require a 2FA code. However, if an attacker has control of your email account (which is definitely possible due to the large number of recent data breaches and the fact that many people reuse passwords), they have everything that they need to take over your other accounts.

A third option for 2FA is using app-based authenticators like Authy, Duo, or Google Authenticator. With these apps, you connect the app to your account by scanning a QR code displayed on the website, and the app then generates 2FA codes for you whenever you need to authenticate in the future. Since no communication is required to generate these codes, they’re harder to intercept; however, this assumes that you haven’t lost your smartphone and/or that you have a decent lock code on it.

Finally, some companies create hardware-based security tokens like the RSA SecurID or the Yubikey. These devices can either generate a code for you or plug into your computer via a USB port. They may also require a PIN number or password to authenticate you. In general, these are considered the most secure version of 2FA, but even they aren’t perfect.

Crash of the Titan

Hardware-based security keys for two-factor authentication are generally some of the best 2FA solutions that you can get. Breaking into your account requires that the attacker gets physical access to the security key, which can be a lot harder than performing SIM hijacking or similar attacks. However, hardware security keys to aren’t always foolproof.

In July 2019, Google released the Titan security key, which can connect to your computer via USB or Bluetooth. However, they messed up the configuration of the Bluetooth protocol, allowing an attacker to perform a Man-in-the-Middle attack against the Titan. If an attacker is close enough to pick up the Bluetooth signal, they can intercept your one-time code before it reaches your computer, allowing them to login if they already know your password. While the need for Bluetooth limits the effectiveness of the attack (they need to be within 10 meters), it’s still insecure, leading Google to recall the affected keys and offer replacements.

Beyond 2FA

Two-factor authentication is a great idea and definitely helps to secure a variety of different online accounts. However, as the failure of Google’s Titan demonstrates, even the best 2FA schemes can fail. As a result, organizations need to be prepared to detect and prevent unauthorized “legitimate” logins.

Data protection solutions exist for protecting against attackers with access to valid credentials.

Using behavioral analysis, they can detect when a user deviates from normal, benign behavior, which can indicate an attacker or risky user. Deploying these solutions is a great way for organizations to protect their sensitive data and comply with hard new privacy regulations like the EU’s GDPR.