You’ve heard it before, but I’ll say it here again. The web, including your data, is under constant attack. Everywhere and all the time. Some of the attacks are automated and come from “robots,” while others are actual humans trying to break in. Failing to utilize two-factor authentication, whereever and whenever possible, will leave you exposed.

What exactly is two-factor authentication? Most services are simply one factor: enter in your password and access granted! Two factor means you need two things. The first is something you know (ie. password) and the second is something you have (ie. smartphone, smart card, RSA key, etc). Given today’s computing power, breaking a user or a system administrator password has become all to easy. However, hackers have a much harder task of breaking in through the second factor or layer of authentication.

So how can this help you? Well luckily, many web services are beginning to enable two-factor authentication in order to login. Part of the problem though is that two factor is still very much voluntary, meaning companies are not requiring it be turned on. But my opinion is that they should be on by default, and give users the option to opt-out or turn off, if they want.

If you are a Gmail or Google Apps user, you can turn this on right now. Start by visiting (https://www.google.com/landing/2step/) and you can use a text message, phone call, smartphone app or even a USB key for the second factor of authentication. The nice thing about this is that it will cover all of the other Google services you currently use ie. YouTube, Google Drive, (Google+ anyone ????).

If you use social media, some services offer this capability as well. Facebook is probably the most important one to secure, as many people share personal and private information on there that hackers would love to harvest. Their system is called “Login Approvals” and more info can be found at (https://www.facebook.com/note.php?note_id=10150172618258920)

Many folks also use a cloud storage provider, such as Dropbox. Because Dropbox is such a large and targeted cloud storage provider, we recommend turning on two factor if you store sensitive personal or business information in their cloud. You can find those instructions on how to begin that here: (https://www.dropbox.com/en/help/363)

Even developers need to be wary of this. Hackers and foreign entities are constantly looking to steal proprietary code. Fortunately, the widely used version control system GitHub has this feature already. More can be found at: (https://help.github.com/articles/about-two-factor-authentication/)

Oddly, I still see a lack of two step verification in the financial services industry. You would think this would be one of the primary areas that this type of security would be needed. Certainly some banks are starting to turn this on. For example, Bank of America uses a system called SafePass, that sends you a six digit text message when you try to access (https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/safepass.go). However there are still many big banks, and smaller community banks and credit unions, that still desperately lack this kind of feature. Hopefully, this is an area that will be given more attention soon.

Another area in which we’d like to see more two factor, is content management and web hosting administration. I’ve yet to see many CMS systems (ie. WordPress, Drupal, Sharepoint) implement this kind of security. Even more so, web hosts need to enable this for their back end administration. This would go a long way in preventing malicious website hacks and takeovers.

In any event, we highly recommend using this feature wherever possible. I know that it’s not the most convenient thing in the world to do, but this is the state of affairs when it comes to cybersecurity. If your system or web application doesn’t support it (it can certainly be expensive and complex to implement) then I suggest you strictly use very long and very strong passwords, that a hacker would have a tough time brute forcing. Side note: One prediction I have for the future, is that many IoT devices will not utilize such strong security protocols, leaving thousands, if not millions of real world devices vulnerable.

If you would like to know more about how two-factor can be implemented in your organization, please don’t hesitate to contact us.

Blog, Hacking, Privacy, Security