Take it to eleven with two factor authentication (2FA)

2FA_2

In a prior post I talked about how your need to up your game in terms of password management. In this post I will talk about taking the management of your online identities to the next level.

I’m not going to dance around on this issue – in addition to a solid password management strategy, you really should be using two factor authentication (2FA, or sometimes U2F) whenever possible. This essentially means that that in order to access a resource (such as your email or a web site) the “first” line of authentication is a password, and an additional and unrelated method is the “second” form of authentication.

Some common examples of 2FA include, in roughly ascending order of security:

  • Security questions (example: what was your high school mascot?)
  • Sending an email to you with a onetime use code.
  • Send a text message to your cell phone with a onetime use code.
  • A code generator application.
  • Voice recognition / Face recognition

The security question method has been around for several years. The weakness of this system is that there are a limited number of questions in the world. These types of questions are easily “socially engineered”. For example, “what was your high school mascot?” adds a false sense of security given that this information can be reverse engineered for most people with a profile on LinkedIn, FaceBook, and other social networking web sites. In addition, if you have unique question and answer combinations that you use, and those become compromised, you are vulnerable and may not even realize it. (One idea that a friend of mine employs is to use fake personal data, including his birth date, where he went to school, and a whole host of fake questions and answers. He has a good time celebrating his “fake birthday” every year, but I’m honestly not sure how he keeps track of all that information).

The email method has numerous weaknesses, including but not limited to the fact that email is itself fairly insecure. Many hacks start with taking over an email account, and then doing password resets (which send the reset to the email address of record). If you lose control of your email account, it can be chaotic process to get control back.

The use of text messages to cell phones have become popular as a means of 2FA. Please know that there is a risk associated with this. Cells phone accounts have a number of vulnerabilities, the most serious of which is called a “cellphone hijack”. In this scenario, someone uses social engineering to take over your cell phone, and then use 2FA to access your accounts.

The most secure and widely used method of 2FA is the password generating application. This is sometimes in the form of a small device you carry with you (companies like RSA SecureID and Symantec VIP Access have been providing this service to corporations for years). This is sometimes in the form of a proprietary application that is tied only to that one service – for example Yahoo!, GMail, Salesforce, and Facebook all have authentication applications tied directly to their service. There are also multipurpose applications that will enable you to use 2FA across a wide spectrum of services. Two of the most widely used examples of this are Google Authenticator and Authy (although there are numerous others). The basic premise is that a unique code is generated (and constantly recycled) that is unique to you and your device. It is much hard to hijack this type of 2FA.

There is a 1984 movie called “This is Spinal Tap”. It was one of the first “spoof documentaries”, and chronicled a hard rock band. There is a memorable scene in which one of the lead characters discusses the amplifiers that they use, which have a unique feature: volume nobs that go to 11 instead of the normal 10.

I realize that it is a goofy clip, from a goofy movie. What I’m hoping is that the reference is just memorable enough to drive home this one idea: it is time for you to up the level of your online security. It is time to take it to eleven with 2FA.