1st May 2014
from PC Magazine
Heartbleed has us all scared, given that one itty bitty piece of code has left everyone’s log-in information potentially (there are no confirmed malicious uses as yet) up for grabs.
So what is a person to do? Well, you should definitely change your passwords on the sites that have patched their OpenSSL problems, but you should change your passwords regularly anyway! By sheer brute force or simple phishing, passwords are, to be honest, a pretty laughable way of authenticating who you are.
What you really need is a second factor of authentication. And that’s why many Internet services, a number of which have felt the pinch of being hacked, are embracing two-factor authentication for their users. It’s sometimes called 2FA, or used interchangeably with the terms “two-step” and “verification” depending on the marketing. But what is it?
As PCMag’s lead security analyst Neil J. Rubenking puts it, “There are three generally recognized factors for authentication: something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint). Two-factor means the system is using two of these options.”
We are far from ubiquity on having biometric scanners for fingerprints and retinas as that second factor. In most cases, it is simply a numeric code of a few digits that’s sent by SMS text message to your phone, which can only be used once.
More and more services are also now supporting a specialized app on the phone called an “authenticator,” which will do that same job. The app, pre-set by you to work with the service, has a constantly rotating set of codes you can use whenever needed—and it doesn’t even require a connection. The arguable leader in this area is Google Authenticator (free on Android, iOS, and Blackberry). But Authy (free on iOS and Android) does the same thing, and with far more color and style; it makes Google’s app look washed out and ancient. There’s also a number of authenticator apps for Windows Phone. And services like Toopher work with websites to try and develop a system that means you won’t even pull out your phone; it claims it’s already made Google Authenticator obsolete. But that’s not ubiquitous yet, either.
Here’s a video Google made about 2-Step Verification basics a couple years ago:
You should also be aware that setting up 2FA can actually break the access within some other services. For example, if you have 2FA setup with Microsoft, that’s great—until you try to log into Xbox Live. That interface has no facility to accept the second code. In such cases you must rely on app passwords—a password you generate on the main website to use with a specific app (such as Xbox Live). You’ll see it come up with Facebook, Twitter, Microsoft, Yahoo, Evernote, and Tumblr—all of which either are used as third-party logins or have functions you can access from within other services.
Remember as you panic over all this: being secure isn’t easy. But that’s exactly what the bad guys count on: that you’ll be lax in protecting yourself. So while implementing 2FA on your accounts will mean it takes a little longer to log in each time, it’s worth it in the long run to avoid some serious theft, be it of your identity, your data, or your money.
What we have here isn’t an exhaustive list of services with 2FA ability—for that, check out this list of banks, web hosts, and more. In this article, we cover the major services everyone tends to use, and walk you through the setup with each. Set up 2FA on all of these and you’ll be more secure than ever.
Meanwhile, to keep up with all the latest security news, especially Heartbleed, check out PCMag’s SecurityWatch.