|Practical Computer Advice
from Martin Kadansky
|Volume 14 Issue 7||July 2020|
|Two-Factor Authentication: Improve Your Online Account Security, Decrease Your Convenience
In order to sign into an online account, you generally have to enter a username and a password. You may also be asked additional "security questions" when you sign in, or if you forget your password and start the process of resetting it.
Unfortunately, passwords can be guessed or stolen or compromised in other ways, especially of you're in the habit of using the same (or similar) passwords for many of your accounts.
One technique that tries to address this security problem is called "two-factor authentication" (often abbreviated as "2FA"), and sometimes also known as "two-step verification." Many online companies offer this as a sign-in option, including Amazon, Apple, Facebook, Google, Instagram, Microsoft, PayPal, Twitter, Yahoo, and probably your email provider, bank and credit card accounts as well. Some companies require it for all users.
When you sign into an account that has this feature, typically you start by entering your username and password. The website then asks you to do one or more additional steps to prove that you are authorized to get into that account. For example:
For many of these methods to work, you would need to prepare in advance, for example by providing your cell or landline phone number, a primary or secondary email address, your fingerprint, a sample of your voice, installing a free app on your smartphone or tablet, etc.
- The server might send you a randomly-generated, one-time verification code (via text message, email, voice call, or a special app on your smartphone or tablet), which you must then type into that sign-in screen. That code might be a sequence of digits or other characters, and usually also expires in a short period of time, typically 10-30 minutes.
- You might be asked to type in the answer to a security question.
- You might have to scan your fingerprint or retina or iris or face (for example, using the camera in your computer, iPhone, iPad, or Android), or submit a sample of your voice (using a microphone).
- Your physical location (as reported by the GPS chip in your cell phone) might be required to confirm that you're in the correct room or building to be permitted access.
- For company or government access requiring very high security, you might be required to carry a special handheld device that displays a password for you to type that changes every 60 seconds, or that plugs into a USB port on your computer to provide authorization.
Some articles on this topic consider the phrases "two-factor authentication" and "two-step verification" to be equivalent, others distinguish between them as follows:
Pros and cons
- Two-factor authentication: You are required to perform the extra steps every time you sign in.
- Two-step verification: After you perform the extra steps and sign in, you get the option to have the server "remember" or "trust" your computer or device so you don't have to do those extra steps again. Some servers require you to re-authorize after a specific period of time, for example, every 3 months.
There are a number of trade-offs to using this type of extra sign-in validation.
- Increased security: If an unauthorized person has discovered your password (or correctly guessed it, or tricked you into revealing it, etc.), 2FA will make it more difficult for them to sign into your account.
- Protection from hackers: 2FA can successfully block malicious hackers who use techniques like brute force and dictionary attacks to guess your password.
- Decreased liability: Activating 2FA to protect a given account may be important, especially if someone breaking into that account may put information about your clients or customers at risk.
- Discounts: Some paid online services give you a discount if you activate 2FA, including MailChimp.
Review your sign-in options
- Decreased convenience and efficiency: 2FA can make it more difficult and time-consuming for you to sign in.
- Email program stops working: Depending on which email service you use, turning on 2FA may require you to generate an "application-specific password" and use that instead of your regular password in your email program.
- False sense of security: A hacker with the expertise to (for example) intercept your text messages or access your email accounts could perform those extra steps and gain access to your account anyway, despite the extra 2FA protection.
- Locked out for no access to cell or email: You might not be able to get the code sent to you (for example) in a text message sent to your cell phone for any number of reasons, including your battery running down, no signal, you misplaced your phone, etc. Similarly, if you can't sign into your alternate email account (perhaps you forgot the password, or you don't have access for some other reason), then you won't be able to enter an authorization code sent to that address.
- Locked out because of biometric failure: A scan of your finger might not match your fingerprint on file for any number of reasons, including a cut or abrasion, hand lotion, dry skin, etc.
- Server breach: Anything stored on a server can be stolen, including passwords, answers to security questions, stored fingerprints, as well as the actual information stored in your account.
- Inexplicable failure: You could do everything right and the process might still fail, e.g., you get a security code via text message, promptly type it into the sign-in screen, and then for no apparent reason the server might still reject that code as invalid.
- Getting help: 2FA can also make it more complicated for computer support people to help you, or to give your bookkeeper access to your bank and credit card accounts.
Because of that, I also strongly recommend that you perform the following test with each account on which you've set up 2FA:
Avoid getting locked out: Keep your 2FA contact information up-to-date
- Begin the process of signing into the account using a computer.
- Pretend that your smartphone is unavailable (battery ran down, died, went missing, was stolen, has no signal, your cell number has changed, etc.), and then see what your other 2FA options are.
- In addition to the option to send you an authorization code via text message, do you have any other choices, e.g., can you get the code via email, a voice call to your landline, by answering some security questions, etc.?
- If so, that's great! However, if your only option is to use your smartphone (check your account's security or sign-in settings to be sure), consider the risk to you of being locked out of that account. If it's unacceptable, then turn off that account's two-factor authentication.
Some two-factor authentication methods rely on being able to send a code to you, so it's important to keep your 2FA-related contact information up-to-date in those online accounts' security settings. This is important if, for example:
I also recommend that you keep track in your own records of which of your online accounts use 2FA, and what contact information they each use to send you a code.
- Your cell phone number changes,
- You close (or stop using) an email account, or
- Your home or office landline number changes.
If you maintain a password chart or database, you could add any relevant 2FA-related notes to those accounts.
Then, if your contact information changes, you can promptly update the 2FA information in the affected online accounts.
Two-factor authentication requires you to use multiple (and hopefully independent) pieces of information or channels of communication when signing in to an account, providing a stronger basis for verifying who you are than just typing in a simple password.
While 2FA is a useful and important security choice, no technology works perfectly all of the time.
Where to go from here
How to contact me:
phone: (617) 484-6657
On a regular basis I write about real issues faced by typical computer users. To subscribe to this newsletter, please send an email to firstname.lastname@example.org
and I'll add you to the list, or visit http://www.kadansky.com/newsletter
Did you miss a previous issue? You can find it in my newsletter archive: http://www.kadansky.com/newsletter
Your privacy is important to me. I do not share my newsletter mailing list with anyone else, nor do I rent it out.
Copyright (C) 2020 Kadansky Consulting, Inc. All rights reserved.
I love helping people learn how to use their computers better! Like a "computer driving instructor," I work 1-on-1 with small business owners and individuals to help them find a more productive and successful relationship with their computers and other high-tech gadgets.