- September 2013 Issue
- Add an extra layer of password verification to help safeguard your data and accounts
Add an extra layer of password verification to help safeguard your data and accounts
Posted Sep 1, 2013 1:30 AM CST
By Dennis Kennedy
Are passwords alone enough to protect our data and accounts? Is it time to add more protection?
Multiple-factor verification, now a trend, combines several elements to help protect your accounts. So if you haven’t heard of two-factor verification or explored it, put it on your “to do soon” list.
If the only evidence that you are who you say you are is a password and someone else has your password, that person can access your account. If someone with your password must provide one or more other confirmations of identity, your account (and you) are safer. The more identity elements you can provide, the higher the probability that you are, in fact, the one seeking access.
Today there are three major factors we can use for verification: a knowledge element (something you know, like a password or PIN); a possession element (something you have, like an ATM card, security key fob or mobile phone); and an inherence element (something you are, like a fingerprint or other biometric information). As a practical matter, biometric factors are rarely used, and multiple-factor verification focuses on the first two elements, making this two-factor verification.
Online accounts protected by a password alone have been broken into with negative and public results, most famously involving tech journalist Mat Honan, whose email and Twitter accounts were hacked and his MacBook, iPad and iPhone all wiped of information last year. We are now seeing movement, especially among the big social media services, to offer two-factor verification as an option. Online services offering two-factor verification include Dropbox, Facebook, Google, Hotmail, LinkedIn, PayPal and Twitter.
And as we increasingly use several devices to access our online accounts, we also run into the problem of balancing accessibility with the difficulty in knowing whether access from a different device is really from you. As a result, the mobile phone and texting have begun to play a big role in two-factor verification. You can receive a text message by phone that contains the information you need to log in to your account.
In all security efforts, however, there is a trade-off. If you have to get a text and confirm a number, answer a challenge question or provide other information every time you log in to every online account, it will feel like an unnecessary burden very quickly. Many two-factor approaches recognize this and require the second factor only in connection with the first time you use a device or on only an occasional basis. Other services provide you with a backup list of codes in case you don’t receive the necessary text, don’t have reception or Internet access, or don’t have your phone.
Still, if you use the same password on multiple online accounts, two-factor verification is almost a necessity. And using two-factor verification does not mean that you don’t have to use strong passwords.
For now, two-factor verification will give you an additional layer of identity confirmation, account protection and overall security, especially for key online accounts.
Dennis Kennedy is a St. Louis-based legal technology writer and information technology lawyer.