Written by Mark Evilsizor
In September of last year, Yahoo disclosed that information was stolen from 500 million users of their site in 2014. Then, in December, they announced the discovery of 1 billion sets of credentials stolen back in 2013. This means that if you currently have or have had a Yahoo account, your information was likely available to the bad guys for three to four years before anyone noticed. With access to your preferred email system, a criminal could use other website’s “Forgot Your Password?” feature to take control of more of your accounts, like banking, retail vendors, or social media. And if you use the same password in multiple places, you really make it easy. It’s as if a key to your house was duplicated and handed out to anyone who wants one—and the same key works on your car, church, and office.
So what can you do? Varying passwords is a good start, but there is a remedy that can dramatically improve security by making a password useless in anyone else’s hands. It’s called Two-Factor Authentication (2FA).
2FA sounds intimidating, so let’s start by explaining what it is. To gain access to something which is locked or blocked usually requires one of three things:
- Something you have – like the key to your house;
- Something you know – like a password to a website; or
- Something you are or that is a part of you – like your fingerprint.
2FA requires that two types of credentials from the list above be available to provide access. In other words, a password alone will not open the door to your email account. The requirement of providing two types of keys to get into your account adds a bit of inconvenience, like having a regular lock and a deadbolt on your front door. It takes a little longer to unlock both mechanisms, but it makes your house more difficult to get into. Think of the security provided by 2FA as much more effective than having two locks on your door. It’s like adding steel bars to the doors and windows of your house. If you lose your keys and a bad guy finds them, he still cannot get in because the steel bars are impenetrable without a second key.
2FA mechanisms vary from site to site, so let’s look at an example of how it works in a particular application like Gmail. Begin by going to https://myaccount.google.com and click on Sign In and Security. Next, click on Signing in to Google in the left-hand pane list of options. Now, click on the 2-Step Verification setting in the main part of the page.
At this point, you have several options from which to choose for your second lock type, and Google will walk you through the setup. One option is to have Google text your phone, or call you and provide a code which you must enter in addition to your password. If you choose this option you will first verify that your phone number is trusted and provide its number. Another option is a physical security key. This looks like a typical memory stick that is plugged into the USB port of the computer you use to access the account. Another option is to download a phone app called Authy. Once registered, the app generates a new random number every 20 seconds. After you type your password into Gmail, you run the app and type the number displayed into Google. To prevent this second step from becoming burdensome, you may choose to trust certain computer/browser combinations so that when you sign in the first time with both type of credentials, you will not need to use the second factor again. Using this feature on your home PC or phone will not require the second step each time. But if a criminal tries to use your password on another computer, the second credential would be required and without it access would be denied.
Just as we have different levels of locks on our homes, cars, bicycles, or safety deposit boxes, we may choose different degrees of security for the websites we interact with based on the value of what is being protected. So consider the option of 2FA, and use it where it makes sense. A breach of your personal financial information by a hacker could create problems that will take weeks or months to fix. Consider taking a few minutes to set up this simple system to save yourself the grief.
Mark Evilsizor has worked in Information Technology for more than 20 years. He currently serves as head of IT for the Linda Hall Library in Kansas City, Mo. Views and opinions expressed are strictly his own.