Protect Your Accounts With Two-Factor Authentication (2FA)
Wednesday, Oct 14, 2020 by Ian Lim
Many years ago I had a friend’s email hacked and started getting bogus emails stating that they were stuck in a foreign country and needed cash sent to them as soon as possible. This got me thinking; access to my email alone would allow access to sensitive information, which as a flow-on from my emails gives them access to other websites. Indirectly password resets to the email address for other non-Google applications or sites could be performed, as well as the ability to gain access to applications that use your Google account as a “passthrough” login for that application. A bit scary really.
That’s when I really became aware of 2 Factor Authentication (2FA). 2FA security works on 2 things: something you know — your username and password — and something you have — generally a passcode that is sent to an associated email account, an SMS to an associated mobile device number, or an app on your device with a time-sensitive authenticator app loaded on it.
An app generates a real-time, time-sensitive code for you to enter based on your account. The system is very similar to the more commercial- and business-related RSA tokens that many enterprise businesses use for their 2 step authentication. It will allow you to create codes for multiple accounts, apps, and websites, some of the most popular being Google Accounts, Microsoft Accounts, Paypal, Dropbox, Evernote, Twitter, and Reddit.
The authenticator creates a 6-digit code that changes every 30 seconds so even if your password is compromised the would-be thief still requires to get hold of your phone and authenticator to finally hijack your account. Even keyloggers will only be able to grab your username and password, but not your code as the verification code you enter will only be valid for 30 seconds at any point in time.
There’s a number of authenticator out there including Microsoft and Google versions however my personal choice is Authy as it has a number of advantages over the other offerings (such as easily run on multiple devices and easily transferred to a new device if you retire your old one).
It might sound like a pain to have to enter a code every time you log into a site but many websites or apps will let you either stay confirmed for 30 days or longer if you use the same device. However every time someone (including yourself) accesses the site on a new device or from a new web browser, you will be challenged for a new authentication code.
On a public machine make sure you DON’T use the multiday/remember device option, then the next time someone logons on to that machine even if they go through the history and find your account, your username, and password, they’ll be challenged to enter another current verification code. Something they won’t have access too.
As a good example, I use GL.iNet Goodcloud to manage a number of devices. Imagine if a hacker got access to my Goodcloud username and password and could manage and manipulate my devices. Luckily the site supports 2FA.
Here’s the initial login screen; something I know — my username and password.
Now it wants something I have: a 2FA code from my authenticator app on my device linked to my Goodcloud account.
And here’s that something: my Authy authenticator application (desktop version) supplies me with a 30-second valid code (Note: the above code is only valid for the next 15 seconds). It’s worth noting my Authy app is fingerprint protected as well.
Get it wrong or not within the 30-second validity time limit and you (or a hacker) won’t get in.
The Authy code changes 15 seconds later So this would be code I’d have to enter if I got it wrong the first attempt or outside the time limit.
Get it right: I’m into Goodcloud.
So remember just as important as protecting the transmission of your data using things like VPNs, actually protecting access to your accounts, apps, and other information is just as, if not more important.
If you have the ability to protect your accounts with some form of 2FA, whether email, SMS, or an application make use of it. That next layer of protection might just protect your data or even just make the hacker move along to the next easier to hack (non-protected) account.
It may be a little more work in setting up and using however for me, it’s well worth the extra time to have that additional layer of comfort.
About GL.iNet
We are a leading developer of OpenWRT pre-installed wireless routers and world-class solution providers, offering quality services of smart cities, data privacy protection, and enterprise IoT. We partner with like-minded companies around the globe to provide phenomenal products and services. We aim to build a smarter lifestyle. For more information, visit gl-inet.com, or connect with GL.iNet on Facebook, Twitter, and GL.iNet’s Blog.
