Friday, August 17, 2012

Two Factor Authentication for email

Very few people today are using two factor authentication for their email accounts. In fact, most people do not even know what it is. If you do know what two factor authentication is, odds are you are not aware if your email provider supports it. You are in luck if you use Google mail (gmail) or Yahoo mail because they both support two factor authentication. In this blog I describe why you need a second factor as well as a brief overview of what two factor authentication is and how it works on both Google and Yahoo.

Why bother?


You are probably asking yourself "why should I hassle with two factor authentication, it sounds complicated". I suggest you read this article on Wired.com that describes how the author, Mat Honan, was hacked. The end result of this epic hack on Mr. Honan was extremely destructive. The hackers obtained control of his Amazon, AppleID, gmail, and Twitter accounts. Using his AppleID They were able to remotely erase all of his data from his iPhone, iPad and his MacBook. They deleted his Google gmail account and took over his Twitter ID to tweet whatever messages they liked under his Twitter persona.

As the Wired article explains, this hack was based on Social Engineering. It involved the hackers physically calling customer support for both Amazon and Apple to provide information that allowed them to gain access to those accounts via their password reset mechanisms. Mr. Honan had "chained" these impacted accounts together and essentially they fell like dominoes after access was gained into the Amazon account.

Two factor authentication on his gmail account would not have stopped all of this destructive damage since Google was not involved in the mechanism used to gain access to Amazon and his AppleID. But, had he enabled two factor authentication on gmail it would have kept the hackers out of his Google account and would have indirectly protected his Twitter account. Unfortunately since both Amazon and Apple had a serious flaw in their security ecosystem Mr. Honan would still have likely lost the data on his iPhone, iPad and his MacBook.

There has been significant press lately about password strength. If you haven't already done so, read my blog on the LinkedIn password hack that managed to steal the password file for thousands of users. In that blog I describe why you should change your LinkedIn password after that attack and ensure that you have a strong password that is not shared with your email accounts. But that blog post is all about protecting, and having an effective, password. Two factor authentication takes security one step farther.

What is two factor Authentication?


Two factor authentication simply means you need two things to log into the account. Two factor authentication most often uses the following two "things" or factors:
  1. Something you know (your password)
  2. Something you have in your possession that nobody else has (usually a token of some kind)
Google and Yahoo both give you the option of having your phone act as the second factor, or the "thing" that you have. Basically once you log on with your normal password Google, and or Yahoo, will text you a numeric code that will be good only one time. This numeric code is that token that you "have". After the initial log in screen you will be presented with a screen that prompts you to enter the code that was sent to your phone via text message.

Using this second factor essentially means that even if your password has been compromised the hacker cannot access your account unless they have the token that has been sent to your phone. This protects your email account from the type of attack that happened to Mr. Honan, which effectively amounted to a password reset on the email account. It also protects you from other forms of security breaches in which your password has been compromised to an attacker such as the stolen password file incident that happened to LinkedIn.

Two factor authentication may seem intimidating, or an unnecessary hassle, but it really is not that intrusive once you have it setup for the first time. As you can see in the screen shot above Google gives you an option to "Trust this computer". If you check that box you will not need to enter the second factor again from that computer. Do not check that box on any shared computer. Yahoo has a similar feature that allows you to trust a computer and bypass the second factor verification step.

I urge everyone to take this threat seriously and incorporate two factor authentication on every account that they have it available for. Honestly, if your email provider does not offer it I would switch to one that does such as Google or Yahoo. Too much of our lives are dependent on our online accounts to not protect them properly. Think of how many accounts you have, such as your bank, credit cards, brokerage firms, etc., that have a password recovery option that sends a reset notification to your email account. For a hacker, obtaining access to that email account is the equivalent of gaining the keys to the kingdom. Protect it as best you can.

3 comments:

  1. Kelley, why do you recommend not to check the "Trust this computer" box? Isn't that factor tied to my physical computer (that hopefully nobody but me has access to).

    ReplyDelete
  2. Paul, you are correct. Your computer does become the second factor after checking that box. Checking that box on your home computer is perfectly fine, I should have been more clear. What I'm talking about when I say shared computers is any computer you do not control. For example a computer in a hotel business center. You never know if a computer, such as one in a hotel business center or a library, has a keystroke logger installed on it. If it did, and you checked that box, whomever installed the keystroke logger now posses both factors, your password and the browser that has been "trusted".

    ReplyDelete