A password is not enough
to keep your accounts safe—take some extra precautions so that if the site
you’re on gets hacked, your data isn’t lost.
If you’ve followed
technology news in recent months, the hacking of popular online services has
been making headlines more frequently than not. There have been frequent
mishits at Twitter since January, Microsoft, Apple and Facebook admitted to
being victims of hackers in February, Evernote’s 50 million accounts were
compromised in March, and LivingSocial was attacked in April.
To counter the growing
threat, all the major online services and technology companies are now adopting
two-factor authentication (TFA, T-FA, or 2FA), which requires the presentation
of two or more of three authentication factors:
· Knowledge: Something the
user knows; for example, password, personal identification number (PIN),
pattern.
· Possession: Something the
user has; for example, ATM card, smart card, mobile phone.
· Inherence: Something the
user is; for example, biometric characteristics such as a fingerprint.
.jpg)
TFA is not a new
concept, it has been used for financial or government systems for a long time.
More recently, consumer services have started to adopt it. So, for instance,
when a bank customer visits an ATM, s/he uses the ATM card (something s/he has)
and follows it up by entering a PIN (something s/he knows) to corroborate
credentials.
As of now, you can’t use
TFA everywhere on the Web, but services like Google, LastPass,
Facebook, Dropbox,
WordPress and Microsoft now offer it. So check your account settings and opt
for it—it’s not mandatory yet. TFA requires user participation and adds an
extra step, so it tends to be less popular.
Eve Maler, a principal
analyst serving security and risk professionals at the global research and
advisory firm Forrester Research, believes it’s only a matter of time before
TFA is accepted and adopted by mainstream users. On her blog on the Forrester
website, she writes: “The writing is on the wall. What was once anathema is
going to be unilaterally required by online service providers—and accepted by
users—within a couple of years, at least for especially sensitive operations.
The only type of security education that really works is the school of hard
knocks. Breaches that expose passwords are massive, frequent, and newsmaking
events these days. Once enough ‘low-information’ consumers find themselves undergoing
account recovery and password change processes due to breaches, strong auth
will seem like a much better idea.”
Mobile apps
If you cannot receive
text messages on your mobile phone (not all countries might be supported by the
service, for example), you can use authenticator apps. These apps can also be
useful if you’re not near your phone, but have your tablet or iPod handy, and
work with most TFA implementations:
· Google Authenticator —Android/BlackBerry/iOS
·Authenticator —Windows
Phone
How to opt for TFA
Gmail (Google)
· Sign in to your Google
Account settings page by clicking on your name or picture on the upper right
corner of the screen and then clicking Account.
· On the left tab, click
Security and then Settings under 2-step verification. This will bring you to
the 2-step verification settings page.
Twitter
· Visit your account
settings page.
· Under Account security,
select “Require a verification code when I sign in”.
· Click on the link to add
a phone and follow the prompts. This doesn’t work with all Indian providers yet
so Vodafone users, for example, will have to wait for now.
Facebook
· Login approvals is a TFA
system that requires you to enter a code Facebook sends to your mobile phone
via text message whenever you log into it from a new or unrecognized computer.
· Once you have entered
this security code, you’ll have the option to save the the MAC (machine address
code) of the device you’re using to access Facebook, to your Facebook account
so that you don’t encounter this during future logins.
Outlook.com/SkyDrive
(Microsoft)
· Sign in to your
Microsoft account.
· Under Password and
security info, click Edit security info.
· Check your phone or,
alternatively, email for the code, enter it, and click Submit.
· Under two-step
verification, click “Set up two-step verification”.
· Click Next, and then
follow the instructions.
Dropbox
· Sign in to the Dropbox
website, and click on your name from the upper-right of any page to open your
account menu.
· Click Settings from the
account menu and select the Security tab.
· Under the Account
sign-in section, next to Two-step verification, the tab would read “disabled
(change)”, click on “change” to enable the function.
· Once you’ve enabled
two-step verification, you can choose to receive your security codes by text
message or use a mobile app for the same.
WordPress
· The Google Authenticator
plug-in for WordPress gives you two-factor authentication using the Google
Authenticator app on your smartphone.
· The two-factor
authentication requirement can be enabled on a per-user basis. You could enable
it for your administrator account, but log in as usual with less privileged
accounts.
Apple devices
· Select Password and
Security.
· Under Two-Step
Verification, select Get Started and follow the instructions on screen.
