The increasing need for two factor authentication
April 16, 2014
One of the many takeaways from the Heartbleed bug is that username/password combinations are only as secure as the servers they are stored on. A mate of mine, Troy Hunt, runs a site called Have I been Pwned. Right now he has records of over 161 million accounts where the e-mail address/password combination has been stored in an account database that has been compromised and uploaded to somewhere on the internet. To find out if one of your accounts may have been compromised, you type in your e-mail address. If that e-mail address is in a compromised database, Troy’s site will tell you about it.
Two factor authentication is something that many sites offer, but few people enable. At its most basic, you can configure services like Twitter, Facebook, Hotmail, Gmail, or PayPal to require two factor authentication. In the case of twitter, it’s pretty basic – they send an SMS to your designated number with a code that you use to validate a sign-on. With Facebook, Hotmail, Gmail, and others you can use a single app where the app reads a QR code and then generates a new time dependent code every 30 seconds. You can use the same QR code to populate apps on other devices, so that in the event that you lose your phone, you can pull up the appropriate time dependent code on another device. The same QR code words on Android devices, Windows Phone, and iOS devices. It isn’t as though choosing two factor authentication locks you into a specific ecosystem.
The advantage of two factor authentication is that even if your password is “pwned”, the attacker doesn’t have the other part of the authentication (your mobile phone or your device) – meaning that you still retain sole access to the service and can rotate your password if noticed that the password database has been compromised.
Hopefully more services will adopt two factor authentication. If only because Heartbleed has made us aware that even with the best of preparation, the services we rely on can still be compromised.
If you haven’t enabled two factor authentication on all the important services you use with it, you know what you should be doing straight after you read this article.
About the Author
You May Also Like