There's been lots of recent publicity dealing with personal online security, and with good reason: if a multi-million dollar organization in 49 states can get hacked by a relatively minor breach involving an HVAC contractor, you can get hacked too. We hear stuff every week about people whose identity has been stolen, and how "you should change your password!"
Problem is, passwords can be guessed (the two most common passwords are "123456" and the word "password"). Even if you have a complex password, determined hackers can break into your accounts if they have enough time and energy to do it, and especially will if they believe it will be profitable for them.
The key for hackers is to use a repeatable task to break in: if the system they use on one victim succeeds, they'll try using that same system on other victims. They'll keep doing that till they get blocked -- and then they'll try something else and if it's successful, they're back in business.
So what can we do to make sure we're secure? How can we prevent hackers from breaching our security? What stumbling blocks can we put in their way? How can we make our access credentials less predictable?
I suggest we inject something that isn't predictable, and can't be duplicated: two-factor authentication (or 2fa). If you work for or with a large or even mid-size corporation, chances are you have been given a remote access privilege to permit logging on when you're away from the office, and you may have a small keyfob that generates a random, six-digit number that you have to enter following a PIN or password.
This level of sophistication isn't limited to high-buck companies; you can personally use this relatively simple method of making sure people can't use your logon IDs and passwords to get into your personal accounts.
The "two factors" used are most commonly something you know (information - in this case, your logon ID and password) and something you have (some sort of technology that permits a specialized key to be used to validate your identity). In my case, I use my iPhone (most smart phones, and even some not-so-smart phones, will permit this) to provide info I can use to log into Google, the bank, brokerages, social sites (LinkedIn, Twitter), Evernote, Apple, etc.
For example, here's how it works with Google: On the login screen, I enter my logon ID (paul.higby) and my password (JiminyCricketTh!sIsALongPa$$word!), and click "Sign in." Google then flashes a screen asking for the verification code generated by my mobile app. So on my iPhone, I open the Google Authenticator app and enter the 6-digit code I see on the screen. The code changes every 30 seconds, so if I wait too long to enter the number, Google won't let me login. I enter the number and click "Verify," and I'm in.
Much the same for my Outlook-dot-com account, except I use a different app (SM Accounts) to generate the password. For E*Trade, I use the Symantec VIP Access app. There are other apps; and in some cases, instead of relying on a mobile app, the website will send an SMS text with a 4- or 6-digit code (Apple, my bank, and LinkedIn, among others, do this).
Two-factor authentication is quite probably the simplest and most effective method for preventing unauthorized access to your accounts, and likely is one of the easiest method for preventing identity theft. Head over to twofactorauth.org to see if your accounts support this, and participate in their campaign to persuade every company that's online to make it available.
No comments:
Post a Comment