What Is Two Factor Authentication?
Often these passwords were less than ten characters, and at
best were a word with a number, usually 01, on the end. Where it wasn’t 01, it was either the month in which they were born, or the last 2 digits of the year they were born.
Invariably the word was something that related to them, and with
a little effort and research, could be discovered easily.
If that description sounds at all familiar, please read on.
It has been suggested to make your password a nice long sentence,
complete with punctuation and numbers. This is probably as far as most users need to go, so long as they have an additional layer of security in place called “two factor
authentication”, which I will explain shortly. It is still able to be
compromised though, especially if you have used something from popular literature.
Use a quote from your favourite book, which you might have mentioned on
Facebook, and a ne’er do well and a few lines of code could break it by automating the process to attempt different selections from the book repeatedly until they are successful.
This method is called a “brute force” attack, and they do take time.
Most service providers have processes in place to
limit the effectiveness of such attacks, but plenty don’t; users
tend not to find out about the ones that don’t until it is too late.
For this reason, anyone looking for additional security should consider setting up what I’m about to describe.
I have become a dedicated user of a password generator and wallet application on
my phone. The app is locked behind one password I am required to
remember, but will generate passwords for me based on the
requirements I set, then store them behind that master password.
I can customise the requirements of a password on the basis of number and type of characters.
The strength of such a setup is the passwords are long and
complicated, and there is zero need for me to remember it. The weakness is the app relies on an algorithm to generate the passwords, and that could be
reverse engineered, or stolen in a data breach.
Since I use Two Factor Authentication (I am getting there), if my password is
compromised, I am still protected.
Two Factor Authentication is slowly becoming the accepted standard of adding an
additional layer of security to services and accounts, and I appear to be part of a pilot program within Telstra for our own version of it. At its most basic, two factor authentication requires
providing an additional piece of information which is sent by the service provider to
you once you have provided your password. This is either provided by text message, or a code generated by an app on your phone. Basically it’s your
service provider saying “Either you, or someone
pretending to be you, has attempted to access your account. We want to be sure it’s you, please use this code.”
The code provided is a single use token, able to be used once, and never again.
To gain access to your account, a bad actor would need to break
your password AND have compromised the second factor.
Tell me what you think the likelihood is of an attacker achieving ALL of the following:
-
Discovering that I use a particular website or service
-
Discovery of my username
-
Discovering my password
-
Intercepting the one time Two Factor Authentication code Not likely.
As an added bonus the code also acts as an alarm that a breach has been attempted; if I get a code when I haven’t attempted to log into that service, I know someone
somewhere has broken my password.
I can then immediately log in, generate and record a new password.
Can I still be compromised? Absolutely. A month doesn’t go by that I don’t read about a
service provider having been breached and their users’ details being stolen.
I liken the steps
I have in place to putting a steering wheel lock on your car: if a car thief sees
your car with a steering wheel lock, and one without, which is more tempting?
By forcing the attacker to expend more time and resources
to gain access to my accounts, I have made every other persons’ account
more attractive than my own.
I’m not outrunning the lion, I’m outrunning the other guy lost in the jungle.