Take it to eleven with two factor authentication (2FA)

In a prior post I talked about how your need to up your game in terms of password management. In this post I will talk about taking the management of your online identities to the next level. I’m not going to dance around on this issue – in addition to a solid password, you really should be using two factor authentication whenever possible.

The next level of sophistication in password management is called “two factor authentication” (referred to hereafter as 2FA). This essentially requires a password as your line of security, and then an additional and unrelated level of authentication, in order to access a web site or resource.

Some common examples of 2FA include, in roughly ascending order of security:

  • Security questions (example: what was your high school mascot?)
  • Sending an email to you with a onetime use code.
  • Send a text message to your cell phone with a onetime use code.
  • A code generator application.
  • Voice recognition / Face recognition

The security question method has been around for several years. The weakness of this system is that there are a limited number of questions in the world. These types of questions are easily “socially engineered”. For example, “what was your high school mascot?” adds a false sense of security given that this information can be reverse engineered for most people with a profile on LinkedIn, FaceBook, and other social networking web sites. In addition, if you have unique question and answer combinations that you use, and those become compromised, you are vulnerable and may not even realize it.

The email method has numerous weaknesses, including but not limited to the fact that email is itself fairly insecure. Many hacks start with taking over an email account, and then doing password resets (which send the reset to the email address of record). If you lose control of your email account, it can be chaotic process to get control back.

The use of text messages to cell phones have become popular as a means of 2FA. Please know that there is a risk associated with this. Cells phone accounts have a number of vulnerabilities, the most serious of which is called a “cellphone hijack”. In this scenario, someone uses social engineering to take over your cell phone, and then use 2FA to access your accounts. (The hack goes something like this: the hijacker calls your cell carrier to say “I lost my cell phone, and I’m desperate, can you transfer my cell number to my new phone?”)

The most secure / widely used method of 2FA is the password generating application. This is sometimes in the form of a small device you carry with you (companies like RSA SecureID and Symantec VIP Access have been providing this service to corporations for years). This is sometimes in the form of a proprietary application that is tied only to that one service – for example Yahoo Mail, GMail, and Facebook all have authentication applications tied directly to their service. There are also multipurpose applications that will enable you to use 2FA across a wide spectrum of services. Two of the most widely used examples of this are Google Authenticator and Authy (although there are numerous others). The basic premise is that a unique code is generated (and constantly recycled) that is unique to you and your device. It is much hard to hijack this type of 2FA.

There is a 1984 movie called “This is Spinal Tap”. It was one of the first “spoof documentaries”, and chronicled a hard rock band. There is a memorable scene in which one of the lead characters discusses the amplifiers that they use, which have a unique feature: volume nobs that go to 11 instead of the normal 10. I realize that it’s a goofy clip, from a goofy movie. What I’m hoping is that the reference is just memorable enough to drive home this one idea: it is time for you to up the level of your online security. It is time to take it to eleven with 2FA.