A couple of weeks back, I received a nasty shock when Google alerted me to the fact that somebody had tried to gain access to a Gmail account I’d set up for a project five years ago and not used since.
Fortunately, Google’s security system prevented the attacker from accessing my account but the incident nonetheless reminded me of the importance of using two-factor authentication to secure my personal and professional accounts. I’d like to briefly explain what two-factor authentication is, what the benefits (and drawbacks) of it are and how you can apply two-factor to secure your own accounts.
What is two-factor authentication anyway?
Two-factor authentication (sometimes known as 2-step) describes systems which require users to provide two forms of proof that they are authorised to access an online service.
Two-factor authentication was first seen in online banking. Remember using your PIN to generate a unique security code in order to verify your identity, in addition to entering your account password? Two-factor authentication applies the same principle to your other online accounts and virtually all the major online players now offer some form of two-factor authentication.
Two-factor via text messages
The most simple form of two-factor authentication involves linking your online account with your mobile phone. You tell Google, Facebook or Twitter what your number is. They send you an access code which you then enter into your account, creating a link.
Once your phone is linked to your account, you’ll receive a text message with a unique code every time you enter your password for your account. Only after you enter this code are you granted access to your account. Had I switch on two-factor for my old Gmail account, the attacker would have no way of accessing account unless he or also managed to get hold of my phone.
Whilst text message is probably the easiest form of two-factor authentication to set up, it does have some disadvantages:
- The system only works if you can receive text messages on your phone. If you travel a lot for work, have poor phone signal or lose your phone, you could potentially find yourself unable to receive the access codes you need.
- Secondly, using text messages means giving the likes of Google, Facebook and Twitter your phone number, which you may not feel comfortable doing.
With a two-factor app, you associate your online accounts with an app you download from your smartphone or tablet’s app store. Virtually all the major online services (with the exception of Twitter) support two-factor apps.
There are no shortage of two-factor apps to choose from and each one has its pros and cons.
- Google Authenticator – the biggest and most well-known app. The app is compatible with virtually all the major services.
- FreeOTP – the leading free and open source alternative to Google Authenticator. I chose to use this app because I am keen to avoid trusting my whole digital life to major providers. FreeOTP is also open source, which means anyone is free to examine the code use by the app to report security flaws. Free OTP works for all apps which support Google Authenticator.
- Authy. A popular third-party app. Authy offers useful cloud and offline features, allowing you to generate access codes even when you don’t have your phone or tablet to hand or should you find yourself without an internet connection (the horror).
Setting up two-factor for your accounts
Each service implements two-factor in a slightly different way and uses its own terminology but the fundamentals remain the same. Please find below links to guides for the big services:
A word about Facebook login approvals
By default, Facebook offers you two ways to generate access codes: by text message or via a code generator via the Facebook app. What is less well-known is that you can choose to use any of the third-party apps listed above to generate codes.
I chose to use FreeOTP to secure my Facebook account because I wish to minimise the amount of personal information I give Facebook.
Downsides to using two-factor
Given the clear benefits of two-factor authentication, why aren’t we all using two-factor? There are two main reasons. Firstly, two-factor is currently opt-in rather than a default setting and we should never under-estimate the power of defaults in the choices we make. Secondly, two-factor adds additional friction to accessing our services. A lot of people find it enough of a struggle to remember their password and so are understandably reluctant to set another hoop to jump through.
Until online service providers choose to make two-factor the default way of accessing their services, not everyone will choose to increase their security. Ultimately, the problem of verifying our online accounts may be solved through innovation, such as Google’s plans to replace passwords with facial recognition. Until these systems become commonplace, however, I hope you do what I do and switch to two-factor.