Welcome to Episode 3, everyone. You’ve made it and I’m very proud of you. By now, if I’ve done my job properly, you’ve begun making small but meaningful changes in how you conduct yourself both on and offline with your technology. These changes will not only make you less of a target for hackers, but they will also empower you to help your friends and family protect themselves as well.
In fact, let’s quickly review what we learned in Episode 2:
- You’ve printed out and now follow “The Ten Commandments of Digital Security.” Yes, seriously: print them out. #NotJoking
- You’ve set up automated backups of your data over the internet and, perhaps, you’ve purchased an external hard drive to set up automated local backups.
- You’re no longer doing any kind of online banking or shopping using the Windows operating system.
I know: that last one is a real toughie.
Working these angles in regards to your digital lifestyle will not only help you understand just how easy it is to be hacked, it will also help make you less of a target for hackers and — even better — protect and secure your data in the event of an emergency. That kind of knowledge should be enough to help most of us breathe a little easier at night.
Even experts like me make mistakes. On a flight back from our once-in-a-lifetime trip to Iceland, I accidentally deleted nearly every photo I took while visiting that country. I broke down in tears on the plane and my wife had to console me that, at least, we still had our memories. I was heart-broken. I’d made an awful mistake and now, wouldn’t be able to share any of the country’s spectacular scenery with friends and family.
Good thing I’d followed my own advice.
Years ago, I made the decision to pay a yearly fee for automatic back-ups of my most important data over the internet. When we got back to the states, I suddenly remembered, logged into my account and there — safe and sound — were backups of all the photos that I’d snapped. One of them was this gem: a 20-foot-tall iceberg that had just flipped over and was now translucent:
So just remember: these skills I’m asking you to adopt can and will have real-world benefits, sooner or later. But most likely…sooner.
Without further ado, let’s jump right in.
When discussing computer security, tech experts use a term called “authentication.” Authentication is defined as proving an identity for the purpose of gaining access to something: a car or building, a computer or a website, to name a few examples. The concept is easy to understand if you think about real-world examples: to withdraw money from an ATM, you first need to provide your PIN; to enter the United States as a citizen, you first need to provide your passport; to be cleared to participate in the TSA pre-check program, you first need to provide your fingerprints.
These three examples represent the three different kinds of authentication:
- Something you know: a username and password
- Something you have: a house key, a passport, a cell phone, or a dongle
- Something you are: your fingerprints, retinal scan, or voice match
Being asked to enter a username/password combo to access a website is said to be a “single-factor” authentication request, because the request only challenges us one time to prove who we are. If you know — or if anyone else happens to know — your username/password combo, then access is granted.
“Two-factor” or “multi-factor” authentication means that access isn’t granted unless at least two different kinds of authentication are provided. I upgraded my email to use two-factor authentication. Because of that, if I want — or if anyone else happens to want — access to my email from any new computer or device, it now requires:
- entering my username/password combo
- then entering a six-digit security code that changes every 30 seconds.
Without knowing both of those data points, access to my email is locked. Can you see where I’m leading you? While it’s extremely easy to steal someone’s username/password, it’s far more difficult to discover a random and ever-changing string of numbers. That’s precisely why I’ve set up similar two-factor authentication guards for my Facebook, Twitter, Dropbox, Amazon, and Apple accounts.
If that sounds like it adds a lot of time or nuisance to my computing, rest-assured: (a) it does not and (b) it’s so important, that I’m willing to spend a few extra seconds anyway. Here’s why:
By default, access to our most critical data — email, social media, Amazon Prime membership, Apple ID, file-sharing services, and much more — only requires single-factor authentication. That makes gaining unauthorized access to our data unacceptably easy. We can, and should, change that default.
Single-factor authentication is very easy to hack. Hackers know this and boy they sure LOVE to target data that’s easy to access. One famous example is Mat Honan, a writer for WIRED magazine. In 2012, Honan’s Amazon, Gmail, AppleID, and Twitter accounts all got hacked. His Apple devices were all remotely wiped and crucial data of his was lost forever, including gobs of photos and videos of his newborn child. In what must be the biggest lapse of all for a technology writer, Honan didn’t maintain regular backups, so his data was lost forever. His demise at the hands of his hacker was so complete, that people in my line of work would say that he was “pwned.”
The good news: there is a simple and elegant way to prevent what happened to Mat Honan from happening to us. It’s 100% free, only takes about an hour of our time and will protect us incredibly well from the most common forms of hacking.
How To Go “Multi”
When we add one or more additional security challenges to gain access to our most important devices or data, we make ourselves a far less desirable target for hackers. I’ll use myself as an example: even if hackers somehow discovered my Facebook username/password, they’d fail to gain access to my Facebook account. For that, they’d also need to have access to my cell phone which runs an application that generates a random, six-digit security code every thirty seconds. Without that second-factor of authentication: hacking my Facebook account becomes far harder.
You can and should do the same, so let’s learn how! Here are the ways to enable multi-factor authentication on most of the major vendors that we all like to use, starting with…
Apple offers 2-factor authentication capability for anyone with an AppleID account. As of iOS 10.3, when you sign in to a new (or newly updated) iOS device, Apple prompts you to enable 2-factor authentication on your device if you haven’t already, a nice touch. Apple’s notoriously too-easy-to-be-true directions can be found by clicking here. My advice: print out that page — you’ll want a hard copy of instructions as you follow along the process.
How it works: First, you’ll provide Apple with your cellphone number, which they’ll use to confirm your identity via a text or call. Once that cellphone is verified as belonging to you as a “trusted device,” it is synced with your AppleID account. Second, any trusted device — iPhones, iPads, Mac computers — can generate random, six-digit security codes. These codes are your two-factor authentication protection. Neat fact: the codes generate correctly, even if your iOS device or Mac doesn’t have internet connectivity.
To set up two-factor authentication via a Mac:
- Click on Apple () menu -> System Preferences -> iCloud -> Account Details -> Security tab
- Click the “Turn on Two-Factor Authentication” button as shown in the left image.
- Provide a number where you can receive a text/call.
- Re-enter your iCloud account password and then your Mac’s local user account name and password.
- A six-digit security code should be texted to you. Enter that into iCloud. Once established, your Mac should now show you something similar to the right image.
If you’d rather use an iPhone/iPad to turn on two-factor authentication, I’d recommend this excellent guide that has lots of neat pictures.
Once enabled, anytime you try to log into any of your Apple services, you’ll be met with multiple security challenges. Here’s an example: let’s say you really need to visit the AppleID website because you’re hankering for semi-blurry photos of attractive 20 and 30-something models. You’re greeted with the usual username/password login screen. Only now, after you’ve submitted your credentials, you’re greeted with a second challenge: a six digit passcode request.
Because your cell phone is already set up as a trusted device, you'll now be alerted on that device that someone is using your AppleID username and password. Apple even shows you a map in the alert, showing you WHERE on the planet that request originates. If you recognize the request, tap the “Allow” button and use the six digit code provided on the next screen to log into the device or Apple website of your choice. The entire process adds ten seconds — if that — to your login process.
Obviously, if you live in London, England and you suddenly get a notification that someone in Portland, Oregon is trying to use your Apple ID account, tap the “Don’t Allow” button and prevent that hacker from gaining entry into your private affairs! If this happens, it’s a warning that your account has been partially compromised: immediately change your AppleID password and notify Apple.
“Well, OK, fancypants,” you say. “But what if I’ve only got my cell phone with me and not my computer?! How does two-factor authentication work then?!?” Not a problem! Remember: any “trusted device” can provide your two-factor authentication security code. You remember the first thing I asked you to do was to make your cell phone a trusted device with Apple? Now you know why: so you can use that same cell phone to provide you your security codes!
The Great Authenticator
As a huge fan of Apple, I continue to be baffled as to why they insist on re-inventing the wheel, literally: circular hockey-puck mouse anyone? Apple never needed to invent its own two-factor authentication system, because a far better one already exists and pretty much every other company on the planet is using it.
Google’s Authenticator service is a more secure and certainly more flexible solution than Apple’s. First, it’s based on what’s called an “open-source” platform. That means that anyone can see the code, check its reliability and even help to make it a better product. Second, because it’s an open-source platform, many companies have already adopted the technology to provide multi-factor protection to their own users.
The problem, is that Google’s own product — something they call Google Authenticator — isn’t very user friendly. I used it for years, but I’m a dweeb: I know how to set up and use this kind of stuff. I believe that you “normies” deserve a better solution. And I found one for you.
I use an app called Authy, which I believe is far superior. Unlike Google’s authenticator app, Authy allows me two amazing features: backing up my account information so it’s easily recoverable should I lose my primary and sharing my authenticator codes across multiple devices.
How it works: Visit Authy’s website and download their app to your Apple or Android phone or tablet. Once your account is set up, adding two-factor authentication to your websites simply requires locating a special barcode — called a “QR code” — that Authy can scan. Sound mysterious? It’s not, really: any website that offers this kind of technology provides you this QR barcode. You just need to know where to look and Authy has made that part simple: they’ve actually created how-to guides (with pictures!) for the most popular websites that use this technology. It couldn’t be easier. Authy even allows you to customize your buttons. As you can see below, I’ve chosen Facebook, Google and Dropbox icon buttons for those accounts in Authy, to help me recognize them. And adding a new account is as simple as pressing the “Add Account” button.
Let’s say, because you’re a very smart person, that you’ve decided to add two-factor authentication to your Amazon account. Good choice! You’ve diligently downloaded Authy to your cell phone, you’ve followed the simple instructions that Authy has provided to activate multi-factor authentication in your Amazon account and you’ve finalized Authy on your cell phone to protect that account.
The first time you use your computer (or any new device) to log in to your Amazon account, you’ll now be met with two security challenges. The first challenge, as you know, is providing an email address and password at Amazon’s login screen, as shown below, at left. Once entered correctly, you’ll now also be asked to provide a Two-Step Verification code, as shown below, at right. Open Authy on your cell phone, choose Amazon from the list of websites and enter the six-digit code Authy provides. Every 30 seconds, the Authy security code changes: they’ll even provide a countdown clock so you’ll know how much time you have left before the old code becomes invalid and is replaced by a new one.
My advice: don’t click the “Don’t ask for codes on this device” checkbox. It prevents two-factor authentication from working on the device in question in the future. That’s the opposite of what we’re trying to accomplish here, right? Right!
Once you’ve entered a valid six-digit challenge code, you’ll be granted access to your Amazon account and all of the personal and financial information that you keep there.
Even if a hacker somehow managed to steal your username and password, unless they also had access to your phone, they wouldn’t be able to meet the six-digit password challenge. This would thwart them from gaining access to the personal and financial information that you keep there.
Authy is so committed to spreading the useage of two-factor authentication that they’ve gone above and beyond educating the community. They not only provide how-to guides for the websites that support their app, they even provide guides for the websites (I’m lookin’ at you, Apple!) that don’t support their app. Talk about a community resource. Well played, Authy. Well played.
If you’re not sure which of the websites that you frequent supports two-factor authentication, look no further than the website: https://twofactorauth.org/. It’s an excellent resource to see which websites and services around the world — like online banking — offer this kind of security. For those websites that don’t, they even offer an automated way to tweet at them or send them a Facebook message, letting them know that security is important to you.
So that’s it for Episode #3, kids. You’re all a bunch of champs for hanging in there and I’m really proud of you. In Episode #4, we’ll tackle another pillar of digital security: password management.