Securely Logging In
All logins are not created equal, and they don’t all need to be. There are some places I visit on the web that don’t need a secure login, because they aren’t storing anything significant about me. I have a login for my RSS reader (if you want to know what an RSS reader is, check out my post here), but because there is no Personally Identifiable Information or financial information kept there, my login for that website doesn’t need to be all that difficult to crack. Someone may be able to find out what I read–*gasp*–the horror! Or even worse, they could cancel all my technology blog subscriptions and replace them with subscriptions for cat videos. But that’s really about the worst damage they could do there.
There are other places I really want to make sure nobody can get in and mess with stuff. My email, for example. If someone can get into my email, they can find out all kinds of stuff about me and send emails out with my name. My bank–I don’t even need to explain why that needs to be secure. You get the picture. If someone could harm or embarrass you with what’s there, you want a secure password. I did a post here on a password checkup, but today I want to tell you why you should opt for 2 Factor Authentication (2FA) if it is available.
What Is 2FA?
2 Factor Authentication is based on any combination of two out of the following three things: Something you KNOW, something you HAVE, and something you ARE.
A username/password combination is NOT 2FA, because those are both something you KNOW. Something you HAVE would be a smartcard with some sort of chip built in, or a hardware token, or a phone or email account. Something you ARE would be any part of you that is unique–fingerprint, iris scan, lip print, voice print.
Here are a few examples
At my day job, we have a smartcard with our photograph on it, but what makes it a smartcard is that it has a chip embedded into it that contains information about us, a PIN that we select and code into the chip, and our encryption and signature certificates for email and digital signatures on documents. When we insert our smartcard into a card reader, the reader displays our name and presents a box where we type in our PIN, which much match the one coded into the card. The card is one factor, the PIN is another.
I have activated 2FA on my several things that are associated with my Google account. Instead of authenticating with just a password, now after I type in the password, Google sends an additional code to my phone in a text message to enter as well: something I know (password) and something I have (code sent to smartphone).
So why wouldn’t this be the default?
Well, because it’s less convenient for the user, obviously, and it’s more expensive and complicated to implement. And it’s just not necessary, as I said before. Believe me, for anywhere that it doesn’t matter, I just don’t want to be bothered with another layer of security. But when it counts, I want it to count.
It takes some getting used to when you first start using the 2FA concept, but if you have it available, if it’s offered to you, go ahead and start using it if anything personal or financial is stored at that site. It’s not infallible, nothing is, but it’s another tool in your toolbox of security.