I read an article today in an educational newsletter about keeping your accounts safe with a strong password. It suggested a range of sensible things like having at least 8 characters, using a mix of uppercase, lowercase, numbers and special characters, and not reusing old passwords. All pretty good advice.
I hear a lot of people expressing concern about the security of “the cloud”. They worry that their data could be compromised if kept on a server they don’t own themselves, or a server that is located somewhere else, possibly even in another country. They express concerns about data breaches from hackers, security breaches of data centres, or even data being accessed by foreign powers during a government uprising. Is any of this possible? I suppose so. Anything is possible. Unlikely perhaps, but possible.
If it’s true that anything is possible, and we want our data to have zero risk, then we need to not keep data anywhere. The only sure way to have no risk with our data is to have no data, but that’s obviously not possible, because we live in the real world where having data is important and useful. To live in a world without data is not an option. So when it comes to the security of your data, we need to decide what level of risk is acceptable to us.
Putting aside the likelihood of secret hacking attempts or tinfoil-hat conspiracy theories, can we all just acknowledge that the single most likely way your data will be accessed by someone else is if they get hold of your password. Either you didn’t pick a very secure password to start with, or they guess it because they know your pet’s name, or you do what so many people do and write it on a post-it note and stick it to your monitor at work. Or maybe you are away from your desk without locking your computer. Or maybe you’ve shared it with someone you know. Whatever the reason, that password, those eight or so little characters, are all that stands between you and potentially disastrous consequences.
So why, oh why, do more people not use Two Factor Authentication (or 2FA)? I have had literally hundreds of conversations with people who will argue about the alleged insecurity of the cloud, and who get all freaked out because they don’t know where or how their data is physically stored, and who claim that they can’t possibly rely on a cloud service to store their precious data, but who don’t use 2FA on their account! It’s insane.
Look, I get that some people might be mistrustful of the idea of putting their data somewhere other than a server that they own themselves. But unless they at least use 2FA to secure their account I cannot take anything they say about security seriously. They are not even taking the most basic of steps to secure their own data, while they bleat about highly unlikely potential worst case scenarios.
So what exactly is two factor authentication?
Many people have two locks on their front door – a top lock and a bottom lock, each with it’s own key. Unlocking either one of the locks is not enough to open the door – you need to unlock both locks at the same time. That’s two factor authentication. You need both factors – in this case, both keys – to open the door.
When it comes to data, you also want to have two keys, or ‘factors’. And ideally you want to have two different kinds of factors – something you know and something you have.
The something you know is the password, and yes it’s still a good idea to have a strong password, something with enough length and complexity that is hard to guess but easy to remember. But it’s not enough. It’s just one factor.
The second factor is something you have, or something you physically carry with you, such as a phone or touch key. Unless the hacker or foreign power actually has your phone, they can’t access your data, even if they know your password. Just like the two keys for the front door, they need both your password AND your phone at the same time. If they have both those things, you may just have bigger problems to deal with.
Some people think that using two factor authentication can be a pain, but it doesn’t have to be. It’s easy and absolutely worth whatever very minor inconvenience it might cause. You probably have your phone with you all the time anyway, so it’s really not a big deal. Once you set it up, when you log into your account on a new device you simply enter your username and password as usual, then tap a button or enter a code on your phone to complete the login. No phone, no login. Take that, hacker!
There are a number of ways to get that second factor, from receiving a text message, to entering a secret number that gets generated every 30 seconds, to tapping a ‘Yes’ button on your phone, to having a dedicated Yubikey in your computer. It’s an extra step, sure, but it makes your account very, very difficult to hack.
So please, if you don’t already use 2FA (on every account you own!) then set it up now. Your online life will be exponentially more secure. And if you don’t, then please do not ever express an opinion about the security of the cloud or anything else. If you can’t take even the most basic steps to protect your own online data then you have no business expressing your opinions about whether a cloud system is secure enough or not. You just sound silly.
Something you know, Something you have by Chris Betcher is licensed under a Creative Commons Attribution 4.0 International License.
Challenge:
I have set up a user on my domain with 2FA enabled.
It’s a G Suite account
The username is [email protected]
The password is learning
Now go try to log in. I’ll buy you a beer if you can.