In Second Factor We Trust

You hear of so many security compromises and hacks these days. There are major security breaches happening, with millions of passwords being stolen and used to steal or damage your stuff. So what can you do about it?

With so much of our lives now being lived in online spaces, losing a password, losing an account, having someone get into your stuff online,  would be a nightmare. What would happen if someone got into your Google account? Your Facebook? Your bank account?

I lost my original Twitter account (betchaboy) last year after a password breach and have never been able to get it back. These security breaches DO happen.

The best thing you can do to protect yourself is to turn on Two Factor authentication. Sounds complicated? Its not. It basically means that there are two passwords required to get into your account instead of the usual one… there is the normal password that you usually use, plus a second one that changes every 30 seconds or so. Even if the bad guys were to get your password, without the second factor – which only you know because it’s generated on your phone, in your presence, on demand – the first password is useless.

It’s a bit like having a door with two locks on it. You’d need both keys to open the door, not just one. Either key on its own won’t open it.

But wait, what? A second password that changes every 30 seconds? That sounds like a lot of messing around! I know it sounds like a hassle, but it’s actually not. Most Two Factor systems form a trust relationship with the devices and computers you use often so most of the time you don’t need the second factor for the computers you use regularly. It’s just needed when you log into a different computer or phone that you don’t normally use. Just like the one that a hacker might be trying to use to log in as you. Even if they discover your password, unless they have YOUR device they only have half the password.

I’ve been using Two Factor authentication on my main Google account for a while now. I resisted turning it on for ages because it all sounded too hard. I eventually relented and decided to give it a go. It’s something I should have done a long time ago. And it’s something that you, if you haven’t already, should do too. Right now.

I spent some time tonight setting up Two Factor authentication on all my Google accounts (about 5 of them), plus my Facebook, Evernote, WordPress, PayPal, Dropbox, Lastpass and Apple ID.  Here’s a good article on how to do it.

For most of these, the second factor can be generated by an app on your phone called Google Authenticator, available for Android, iPhone, Blackberry and Windows Phone. It uses Google’s open source token generation algorithm, and it spits out a new code every 30 seconds, specific to each account. Just log in to these sites as usual, but have your phone handy to generate the second password. It’s very straightforward and easy to use, and well worth whatever minor inconvenience it might cause (which honestly isn’t much)

If you haven’t set up Two Factor yet, can I strongly encourage you to at least give it a try. You can always turn it off if you hate it, but really, you should be using this! There was a report of a password breach for Dropbox users yesterday and it was such a relief to think that it didn’t really bother me as even if they got my password it didn’t matter. It was useless to them anyway.

Do it. Do it now. Seriously.

Published by


Teacher. Blogger. Podcaster. Asks way too many questions.

That's all well and good, but what do YOU think?