Two Step Verification

Justin Hall

October is National Cyber Security Awareness Month. At CBTS, we spend our whole year talking to customers about how to improve their organizational security practices, but in October, we use the increased attention to focus on some of the most effective things individuals and companies alike can do to protect themselves and their data. Side note: be sure to get a card and something nice for the cyber security professionals in your life! I happen to like pie, just FYI.

The most important thing I tell all of my friends and family to do to improve their personal security is to use 2-Step Verification - also called “two factor” or “multi factor” authentication - on their most important devices, websites, and services. 2-Step Verification is a feature that adds one additional step when you’re logging into something using a username and password. Here’s an example:

I go to my local public library and want to check an eBay auction I’m involved in. I sit down, open a browser, and go to I type in my email address and password, and then eBay asks me to provide a six-digit code. I get a text message immediately from eBay with the code, type it in, and I’m logged into my account successfully.

The additional step only takes about 5-10 seconds, but it provides invaluable protection from a couple of different threats:
If someone hacks eBay and steals their user account database, the attacker still won’t be able to log into my account without the code that eBay generates. Only I have the ability to read my text messages, so only I can know that code.
  • If I inadvertently install malware - say, a keylogger - on my computer, and an attacker steals my username and password that way, I’m still protected, since the code eBay texts to me only works once and only for a few minutes.
Lots of services support 2-step verification now: Some will send you a text message, and some support using an app like Google Authenticator or Microsoft Authenticator. My personal setup is to use a combination of my Android phone and Android Wear watch, which has a Google Authenticator app, and so pulling up a code for one of the services I use doesn’t even require me to pull out my phone.

You can also use a physical USB key, like Yubico’s YubiKey, so that plugging a device into the computer you’re using is required to log in. I use this for my Google account - protecting personal email is super essential, since access to that service allows access to lots of others.

So enjoy National Cyber Security Awareness Month! Turn on 2-step verification everywhere! And tell your friends and family!
comments powered by Disqus