Gear We Like
How secure is your online life?
I’m going to start this post with a simple exercise. First, count vaguely how many online accounts you have that require a password. Next, make a note of roughly how many unique passwords you use across these accounts.
I’m going to hazard a wild guess here, and assume that your second number is smaller than the first number. In fact, there is a high probability that the second number is very close to one – which is something to be concerned about.
Why does this matter?
If someone manages to get hold of one of your passwords, either as a result of a security breach, or because you wrote it down on a now lost piece of paper, then they suddenly hold the key to large chunks of your online world.
And once one door opens, getting into the other doors suddenly becomes a lot easier, particularly if the passwords are the same. But even if they aren’t – say someone has access to your Facebook account for example, then they have all kinds of information on you, that they can use to socially engineer their way into your other accounts. And before you know it the whole castle has come crumbling down.
What can you do about it?
There are two things you can do about preventing this. The first is called two factor authentication, and is what today’s post is all about.
The second is to use a password management tool, and is covered in this post on creating better passwords. My favourite option of those is LastPass, which supports two factor authentication, allowing you to lock your online life up tighter than a lid on a delicious jar of jam.
What is two factor authentication?
Authentication means proving that you are who you say you are, and there are a variety of ways you can do this. One way is with something you “know”. If you’re standing in front of Aladdin’s cave for example, and you “know” the passphrase is “Open Sesame”, then a single factor authentication system is going to let you in with just that information.
But what if someone else also knew that “Open Sesame” was the password? Suddenly the system isn’t so secure, revolving as it does around one piece of information.
Maybe the cave also needs a nice big unpickable padlock, and a unique key to let you in. Now to get in you need to “know” something, the password, and also to “have” something, in this case a key. This is two factor authentication, a system that relies on more than one authentication method before it will let you in.
How to enable two factor authentication
The major hurdle to two factor authentication adoption in the past has been that it required you to carry something physical on your person – the “key” to the cave.
If you use internet banking, your bank may have already issued you with some funky dongle to enable access to your account. Which is wonderful, but who wants to carry a dongle specific to each account? No-one, that’s who. It’s a sub optimal solution, particularly when travelling.
Luckily, the industry has come up with a more elegant solution, involving a piece of technology that you likely already own and carry around with you everywhere you go. I am, of course, talking about your phone, which these days, is more likely than not to be of the “smart” variety.
Because as well as doing all kinds of other funky stuff, your phone is more than capable of operating as the main part of the two factor authentication puzzle. This can either be by receiving a code via text message, or by running a time based code generation application.
Authentication via text message
SMS based authentication works as follows. You go to login in to your account. You provide your username and password. The system then sends a one-off code to your phone via SMS, and you put the code in to login. And presto, the system knows that you are either who you say you are, or someone has managed to both steal your password *and* your phone. Which is somewhat more unlikely.
The problem with this approach is that it requires you to have registered a phone number with your account, and if you’re travelling, maybe you don’t have signal where you are. Or maybe you keep changing SIM cards, and your phone number isn’t reliably the same. So whilst this works, even on “dumb” phones, it’s not ideal for traveller types amongst you. And this being a tech site aimed at travellers, that probably includes you.
Authentication via smartphone application
A better travelling solution, if you have a smartphone running something like iOS, Android or Windows Phone, is to install an application that generates time based codes for you. You link this application to each online account that supports this functionality, and instead of receiving a text message when you login, you are asked to enter the code your phone application generates.
This has the advantage of not requiring a cellular connection, and works entirely offline. You will also be issued with emergency codes that you can print out and keep somewhere safe, for use if you lose your phone.
Additionally, you can usually set up a device as being “trusted”, so you don’t need to enter the code every time you login, rather, every time you login from an unrecognised device.
Which accounts support two factor authentication?
Two factor authentication is becoming more and more popular (a good thing), so the following list is likely to start going out of date fairly quickly. At the time of writing though, some of the major places that support one of the two types of two factor authentication explained above include:
Google – information page
Dropbox – information page
Facebook – information page
Lastpass – information page
Amazon web services – information page
Yahoo! Mail – information page
WordPress – information page for plugin
DreamHost – information page
Drupal – information page
This list is not exhaustive, and I can very much recommend that you find out which of your online accounts lets you use two factor authentication, then enable it. The hassle is very minimal, but the added security is invaluable.
So that’s it on two factor authentication. You may be tempted to bookmark this post, and come back to it later. Or, you’ll be like I was, and assume you’re not likely to be affected by this sort of thing. Until one of your accounts gets compromised, as happened to me, and then you’ll spend a *lot* more time trying to sort it out than you would have done if you’d just done it now. Take half an hour, and set it all up now. I promise you it will be worth it!