Saturday, May 29, 2021
Cybersecurity: 2FA or not 2FA? That’s the question…
 |
| Graphic courtesy of Marshall University IT Department |
Okay, you’ve learned how to spot fraudulent e-mail and text messages and have followed my advice about creating different, strong passwords for each of your online accounts. Now you can relax, knowing all your important information is safe and secure, right?
Wrong!
No matter how unguessable you think your password is or how careful you are about avoiding online scams, your credentials could still be stolen by hackers who target the companies who store those passwords. That’s why you need to further secure your important accounts by using something called Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA).
Doing this creates an extra step to prove your identity when you go to login to a website, device or application, by having you enter a second piece of information completely separate from your username or password.
Yes, this extra step may be inconvenient, but it provides an extra layer of security because the more time and hoops you make a hacker jump through, the more likely it is that he or she will just give up and move on to another victim whose account is easier to crack.
stop every attack. Frankly, that’s not possible. It should be to put so may barriers up between you and the hackers, that it’s simply not worth their time to victimize you.
So how exactly does all this work? And isn’t that second piece of information just as vulnerable to being stolen as a password?
No.
You see the way 2FA/MFA typically works is that the site or device you are trying to log in to either sends that second piece of information to another device in your possession or prompts you to enter information from an app you have on that second device. Either way, that information – usually a six-digit code – constantly changes and is only good for a few minutes. So even if a hacker manages to get ahold of the code, they can’t keep using it over and over again to gain your account like they could a stolen password.
Like all things, this method is not fool-proof, and there are ways around it even without direct access to your second device. But those methods are harder to do and hackers may decide it’s not worth the time and trouble and move on to someone else.
Currently, most people usually use their cell phone as that secondary device to setup multi-factor authentication, and that’s what I’d recommend doing if you have one. It’s more secure than having messages sent to an e-mail account which is easier to hack than a device you almost always have with you anyway.
If you decide to use your cell phone for this, I’d also recommend registering another mobile device -- if you can -- as a backup. This way if you lose your phone, you can have your cell phone provider help you remotely wipe it, disabling its ability to do MFA, yet still be able to authenticate with the other device.
There are several different ways MFA works. Here are the five most common ones:
‘Push’ Notification to a Mobile Device
With this method, the account that you are trying to log into will create a popup message on your cell phone or other mobile device notifying you that someone is trying to log in and ask you to either allow or deny the attempt.
It’s called a “push” notification because the website that’s being logged into initiates the communication and allows you to hit a big red or green button to either allow or deny the login right from that notification.
What makes this method so secure is that A) you get real-time notification when someone is trying to log in to your account and B) any bad guy trying hack into your account must have physical access to your mobile device to be able to log in.
The downside to this is not all websites that support MFA support push notifications which leads us to…
Text or SMS Notification
Similar to a push notification, the account that you are trying to log into will initiate communication, but this time, instead of giving you the yes/no option in a quick popup message, it will send you a text message with a six -or eight- digit code you will need to manually enter on the website’s login page to continue.
It has the same advantages of a push notification but does have the additional downside of having to manually enter a potentially long code from your phone.
Mobile App on your device
The third method, involves you having to download a mobile app such as Google Authenticator , Duo Mobile, Microsoft Authenticator or LastPass Authenticator. Each of these apps constantly generates changing codes based on an algorithm that only it and the site you are trying to login to know.
So when you go to login to that website, the website will only let you in if the code its algorithm creates matches the code the algorithm on your phone produced. Since the codes are set to change every minute or two, it’s extremely unlikely a cyber crook could guess that password in so short a time.
Again, the main advantage here is that the attacker has to have physical access to your mobile device, but does come with the disadvantage of not getting any real-time notifications should someone else try to log into your account.
If you don’t know which one of these apps to use, PC Magazine’s recent review of The Best Authenticator Apps for 2021 can help you decide. And don’t feel like you have to choose only one of them. I use two different ones on my phone without issue. (However, having only one does make things easier to manage).
Physical Token
Physical tokens are small key-chain sized devices that do exactly the same thing as the mobile apps. They were prevalent in the days before smart phones became ubiquitous and have the same advantages and disadvantages of those mobile apps. There are also versions that look like a USB thumb drive that plug into your computer and provide the second form of authentication automatically.
Email Code Method:
This method works similarly to the text/SMS code method except that the code is sent to an e-mail account that you told the website to use. This is perhaps the least secure method of them all, because cyber criminals do not need physical access to a device in your possession and assuming you haven’t secured this account with 2FA, only need to guess your password to get in.
Does it mean you should not use it?
As a primary authentication method, I’d advise against it, but it’s not bad to have it set up as a backup or third way to authenticate should your phone be unavailable. (Some sites allow you to set multiple ways to authenticate while others only allow one way, which is why it’s called either Two- or Multi- factor authentication.) Just be sure to make sure you have the strongest possible password on that account.
Setting up 2FA/MFA
How you set all this up will differ with each website you use. But the options you will need to configure will often be found on the settings page under either the security or login sections.
Here are two examples of how to access them in Facebook and Google:
FACEBOOK:
- Click on the account dropdown button next to your profile picture and from the dropdown menu and select the Settings and Privacy option.
- When the dropdown menu changes, click on the Settings option
- When the settings page loads, click on Security and Login on the left-hand rail and look for the Two-Factor Authentication section and switch it to ON to begin setting it up.
GOOGLE/GMAIL:
- Make sure you are logged into your Google or Gmail account, and click on the button that looks like checkerboard on the upper right of the page and from the dropdown pick menu that appears click the Account button.
- Click on the Security link in the left-hand rail, then scroll down the page until you come to the Signing in to Google section. Under that click on the arrow next to 2-step verification to begin setting it up.
