Two Steps are Better Than One: Make a Hacker’s Job Harder with Two-step Verification
Every day, life for many consumers has become more “digital” than before—this has made day-to-day tasks easier for many of us, but it also creates new challenges. From online banking to medical records, the need to protect our private, personal information is imperative.
Too often, the same password is used for multiple online accounts—for instance, you might log in to your online banking site with the same password you use for your personal email account. In the McAfee Digital Assets survey from earlier this year, 37% of people reported that they use the same password for multiple online accounts. Using identical passwords is convenient for us as users, but it’s also convenient for any hacker trying to steal personal information—once a hacker has access to one of your accounts, he can use a recycled password to snoop around at will.
Certainly, using more than one password and pass phrases that include a mix of upper and lower case letters, numbers and symbols and is at least ten characters in length goes a long way towards keeping malicious people at bay, but unfortunately, merely adding variety to your login information doesn’t guarantee security. In The Easiest Ways to Not Get Hacked, author Rebecca Greenfield included this chart showing just how much difference one character in length makes:
One of the most important accounts to keep secure is your primary email account—and here’s why: sooner or later, all of us have to use the “I forgot my password” option, which typically sends a password reset email. A whopping 79% of McAfee Digital Assets survey respondents said they’d used a “forgot password” button in the last six months. A hacker only needs to crack the password for your primary email account, and he’ll be able to access any of your other secure accounts simply by clicking the “forgot password” button when he sees it. This is what is known as a single point of failure, meaning it’s the one piece in any system that can bring down your whole system.
Establishing a separate email account for registration is one idea—in other words, your “I forgot my password” emails would all be sent to an account other than your primary email account. But even in that situation, there’s still only one password between a hacker and most of the data you want to keep out of a hacker’s hands—from financial accounts and bank access to your weekly grocery delivery service. So the real question, even if you’re savvy enough to have a separate email address for password rescue, is: how do you make any email account more secure?
Two-step verification (often referred to as two-factor authentication) is a system designed to give you an extra layer of security that’s easy to use and indispensible for commercial or highly sensitive accounts. Two-step verification protects your email with not only a password, but also by associating your account with a specific device or devices. A recent example of how this works comes from Google. In the case of Google’s two-step verification for Gmail accounts, a user simply re-authorizes the account every 30 days, by providing a numeric code that confirms the account.
The extra step and learning a new system of security sounds like an enormous hassle but Google has taken the pain out of the process by allowing you to obtain the code in one of three ways:
- Via text. You can have Google send you a text message containing the code.
- Via Smartphone App. You can download a free app that will generate a randomized code for at the time of sign in.
- Via landline. You can receive an automated voice message to a non-mobile phone that tells you the code.
This means that a hacker who wants to access your email account can only do so if he’s also got access to your text messages or your landline phone. It might not stop every cybercriminal, but it does make the average hacker’s job a lot harder.
This two-factor authentication, while not new, is making major inroads amongst websites, apps, and services that process critical information. Many corporations have used hardware-based secondary authentication codes for years, but Google and others (including Twitter) are working hard to make this enhanced authentication flow a more practical and accessible part of our working lives.
New biometric verification options, such as a retina or fingerprint scan, are also catching on among security-conscious consumers, and will likely be a feature on more devices in the future. As times change, and more sensitive information flows through these sites, we can be sure to see more of these processes put into place.