An ID and strong password aren’t secure enough for important accounts. Set up two-factor authentication (2FA) at all your important online accounts (government, banks, investments, credit cards, …..).
Strong passwords are only an initial barrier to hackers seeking access to your information. A next step to improve protection beyond passwords is called two factor authentication or 2FA. The following steps illustrate a typical information flow for a 2FA process:
Login with ID and password (factor 1) to bank website from your personal computer.
A more general term for 2FA is MFA, or Multi-Factor Authentication. A Microsoft security expert has stated that “based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.” The same expert believes that focusing on passwords, their complexity, management, and frequency of modification is irrelevant today!
So, always use two factor authentication (2FA), if available, when accessing important online accounts. These include your email account, financial accounts (e.g. investments, banking, credit cards) and government-related accounts (e.g. DMV, IRS, Social Security).
To determine if your important accounts offer 2FA, look in the app’s or website’s Profile Settings. They will typically offer sending texts or emails when account activity occurs or you make account changes. For example, Bank of America’s Profile Settings includes a Security Center selection to set up 2FA.
Social media apps, such as Facebook, Twitter and LinkedIn, offer 2FA for additional security. If you authorize 2FA in your Facebook profile, it requires entry of a passcode to ensure your personal identification – the passcode is delivered via a text message to your smartphone.
More secure than text-message-based 2FA is time-based, one-time passcode or TOTP-based 2FA. Apps as Authy, Duo Mobile and Google Authenticator offer this approach. They work effectively with many familiar commercial websites.
Symantec offers the VIP Access app that I use on my iPhone to authenticate with my investment account website. VIP Access generates a 6 digit authentication code every 30 seconds – a TOTP. I enter the current passcode at the website as the second factor during login.
An even more secure, hardware-based, 2FA alternative for the truly security-concerned is the Yubikey, based on FIDO (Fast IDentity Online) and U2F standards. The key is a small device that plugs into a USB port in your personal computer and/or communicates with your device via NFC (Near-Field Communication). The Yubikey 5 NFC is such a device, making it compatible with FIDO-compliant applications/websites on Windows, Mac OS, Linux, iOS and Android devices It issues an OTP – a one-time password, not time-based, unique to the device, making it almost impossible to be spoofed by a hacker. Other comparable security key products include the CryptoTrust OnlyKey, the Thetis Fido U2F Security Key and Google’s Titan Security Keys.
Companies, such as Google, are strengthening their authentication security for their accounts with support for smartphones – iPhone and Android – as hardware-based FIDO-compliant devices, obviating the need for a Yubikey-like device while offering equivalent security. Moreover, Google offers an Advanced Protection program for those individuals who may be at exceptional risk.
FOR FURTHER READING:
CyberGuardian: a SecureTheVillage Guide for Residents is available on Amazon.
A complete Security Checklist is available: https://www.nerdsiview.com/security-checklist-2/
References for Village Residents are available at: https://securethevillage.org/residents
© Alan Steven Krantz 2021