Remember how nude photos of certain celebrities were leaked last year ? Not only did this story cheer someone up (and possibly the night), it also turned out to be a pretty good educational tool.
For example, many people have realized that their pet’s name is not necessarily a good password, and that two-step authentication is not just for IT security freaks, but also for every owner of an iPhone decorated with Swarovski crystals.
Photos that were high on last year leaked from Apple’s cloud, which stores copies of photos taken with Apple devices. Hackers used the easiest way to break into the service, combining phishing with brute force. After this mishap, the company decided to more reliably protect its users and used two-factor authentication (2FA) in the iCloud cloud, and then recommended its customers to use it.
However, using 2FA on iCloud as well as Gmail, Facebook, and many other websites is optional. Most people prefer to skip it because it is not very convenient and takes up valuable time.
Meanwhile, even if you are not Kim Kardashian or Kate Upton, you can easily lose control of your email account or social media profile. And the consequences of this can really be felt.
Two locks are better than one lock
Most people think that two factor authentication is a system that sends one-time passwords in text messages. Well, it’s actually the best 2FA method for websites, but it’s not the only one.
Overall, 2FA is like a door with two locks. One is the traditional login and password set and the other can be anything. What’s more, if two locks are not enough for you, you can use as many as you like. But then the process of opening the door will take longer, so it’s better to start with two.
Passwords sent via SMS are an easy and relatively reliable method of authorization. As much, because every time you want to access the service, you must have a phone nearby, wait for an SMS, enter the numbers …
If you make a mistake or enter the code too late, the procedure must be repeated. For example, if there is a congestion in the operator’s network, the SMS may be delayed. My guess is that this situation might irritate someone.
If you don’t have coverage (which is most common when traveling) you won’t get the password. You can lose your phone and be unable to change how you log in, which is even more frustrating.
Fortunately, for such circumstances, many sites, such as Facebook and Google, offer additional options – for example a list of disposable keys that you can create, print and store in a safe place in advance.
Five ways to protect your private photos with 2-Step Verification
What’s more, 2FA authorization with the use of one-time codes sent via SMS does not have to be permanently enabled, but it may be valid when logging in from an unknown device. The principle of operation is the same for each application assigned to your account (e.g. an e-mail client) – you must enter a specially generated password before starting it.
So, unless you log in every day from a new device, two-factor authentication via SMS is not that hassle. Once set, it always works.
Identity on the smartphone
If you travel frequently, a special app will be a better way to authenticate. Unlike SMS, this method works offline. One-time password is generated not on the server, but on the smartphone (although the initial setup requires an internet connection).
There are many authorization apps out there, but Google Authenticator definitely sets the industry standard. Besides Gmail, this program supports other services such as Facebook, Tumblr, Dropbox, vk.com, WordPress, and others.
If you prefer apps that combine other functions, try Twilio Authy . It is similar to Google Authenticator, but has many useful options.
First, it allows you to store your certificates in the cloud and copy them to other devices (smartphones, PCs, tablets, and many other platforms, including the Apple Watch). Even if your device is stolen, you will still be in control of your account. The app requires you to enter your PIN every time you start it, and the key can be revoked once your device has been hacked.
Second, Twilio Authy makes life easier when you start using a new device (Google Authenticator does not have this feature).
One key instead of several
The above-mentioned solutions have one drawback. If you use the same device to log in and receive SMS with one-time passwords or use a 2FA key generator application, this protection is not so reliable.
Hardware tokens provide a higher level of protection. They come in different shapes and create the login items you need; They can be USB tokens, smart cards or offline tokens with a digital display, but their principle of operation is the same – they are mini-computers that generate one-time keys on demand. The keys are then entered manually or automatically – for example via a USB interface.
The generation of such dongles does not depend on network coverage, telephone coverage or other factors; they work regardless of the circumstances. Unfortunately, they are bought as separate equipment and some people find it difficult not to lose such a small gadget.
Typically, such keys are used to protect online banking services, corporate systems or other important things. At the same time, to secure your account in Google or WordPress, you can use an elegant USB device that will remember passwords for FIDO U2F authentication (like the popular YubiKey tokens).
Show your implants!
Traditional hardware boots provide a high level of protection, but are not very comfortable to use. It can be tiresome to use a USB drive every time you want to access an online service, and you can’t connect it to your smartphone.
It would be much easier to use a wireless dongle that comes via Bluetooth or NFC. Incidentally, this is possible with the new FIDO U2F specifications presented last summer.
The tag that could verify the user can be applied anywhere: in a keychain, bank card or even an NFC chip implanted under the skin . Any smartphone could read this key and authorize the user.
One, two, many
The idea of two-factor authentication is by no means outdated. To increase access security, many services (e.g. Google or Facebook) analyze several factors – they check the device and browser from which the login is made, as well as the location or pattern of the user’s activity. Banks use similar systems to catch fraudulent activities.
So, in the future we will likely rely on advanced multi-factor solutions that provide a healthy balance between convenience and safety. One great example of this approach is the Abacus project, which was presented at the recent Google I / O conference .
In the new reality, your identity will not be confirmed only by a password, but by a set of several factors: location, what you are doing at the moment, how you speak, breathe, what your heart rate is, whether you use cybernetic prostheses, etc. A device that can sense and will identify these factors, it will probably be your smartphone.
At this point, I can give you one example – Swedish researchers use ambient sound as an authentication factor .
This concept is called Sound-Proof and it is very simple. When you try to access a service on your computer, the server sends a request to an application installed on your smartphone. The computer and smartphone record the surrounding sound, convert it into a digital signature, encrypt it and send it to the server for analysis. If they are the same, it means that the original user is trying to access the service.
Of course, this approach is not ideal – when the fraudster is sitting near the user, for example in a restaurant, the surrounding sounds are practically the same. Then other factors that prevent the account being hacked should be taken into account.
In the end, both Sound-Proof and Abacus are designed to provide protection in the future. Once commercial, information security threats and challenges are likely to evolve as well.
Today, all you need to do is use 2-Step Verification. You can find instructions on how to enable this feature on most popular websites.