I recently looked at four different aspects of the security posture of a number of US banks. I’d like to explain in detail what these security controls are and why they’re important. In this post I’ll explain what two factor authentication is and why you should be using it everywhere you can.
To start off, I’d like to define authentication. Authentication is the process by which one proves that they are who they say they are. In the case of most internet sites this is done with a username and password. I tell the site who I claim to be with my username, and prove it by providing something that only I would know: my password. That’s one factor authentication.
To make it two factor authentication they can’t just ask you for something else you know: mother’s maiden name, high school mascot, social security number. This is still one factor. The second factor needs to come from another category; either something you have (like your phone) or something you are (like your fingerprint). The former is more common.
Something you know is your password, but how would the site check if you have the “something” you claim to have? The most common way is with an OTP or One Time Password. Many sites, though few banks apparently, support this function. You may have experienced this before, either through a site texting you a 6 digit number, or through a smart phone app like Duo Mobile, or Google Authenticator that generates this code, or maybe your employer issued you an OTP keychain that has a small screen display this number. In any case, this second password can only be used once and proves that you have the device that generated it in your possession.
There are plenty of flaws with passwords, but most of them are actually flaws with the humans who use them. We choose passwords that are easy to guess: a family member or pet’s name, a sports team, a school mascot, the word password. We also reuse them between sites, so when your sketchy-shopping.com password is stolen by hackers, it also works on chase.com, which is bad.
By adding two factor authentication it becomes much harder to give away access to your account, even if you want to. If you password is stolen from another site, or guessed because it’s “password”, you are still safe because the hacker doesn’t also have your phone. Now, I certainly suggest picking a strong password and lots of other people can tell you how to do that   , but adding 2FA as a second line of defense is a great way to keep your accounts secure.
Where should you start? Your email account. You may think that your mailbox has no big secrets in it, but many services on the internet allow password resets if you have access to the account holder’s mailbox. So a breached mailbox could lead to a breached… everything else. If you have gmail, outlook.com, or yahoo, they all support 2FA and I’ve linked documentation, if you have another mail provider… WHAT YEAR IS IT?