The following is adapted from Fire Doesn’t Innovate.
Two-factor authentication has become more important as the level of cyberattacks continues to rise. Every time a company you do business with (or that collects data about you) has its data stolen by cyberattackers, your online security is compromised and your accounts are vulnerable to attack.
Two-factor authentication can help prevent access to your online accounts if someone else has your user ID and password. Authentication is the process of proving your identity and it happens one of three ways:
- Something you know (your a PIN or password)
- Something you have (your driver’s license or mobile phone)
- Something you are (your photo or fingerprint)
With all three of these factors, the idea is that it’s very hard for someone to impersonate you because they don’t know what you know, have what you have, and are not what you are. It is very hard to steal from you when you put all three of those factors into play.
Two-factor authentication uses two of these factors to verify your identity and give access to your account. Using just one of these authentications is not enough to protect you and your company’s private data. If you want to know whether the websites you use offer two-factor authentication, and what options are available, here’s where you can check: https://twofactorauth.org.
If you have an easy to guess password, but must use a one-time, random six digit code that you look up on your mobile phone in order to logon to your bank account, it will be difficult for cybercriminals to steal from you. If you’re lucky they’ll just move on to their next target. But…
Not All Authentication is Created Equal
Two-factor authentication is great for protecting your online accounts, but what you must realize is that not all forms of authentication is equally effective.
Many banking institutions use a PIN sent via text message to authenticate your login. Many US banks use this authentication technique because it’s easy for customers to use. But this is not a truly secure two-factor authentication technique.
First, if a cybercriminal steals your phone (or increasingly, your number), they can intercept your PIN. Second, the phone system that handles text messages has absolutely no security of any kind. It was never designed to do anything that required secrecy. Cybercriminals are adept at hacking into that system to intercept text messages.
How Criminals Can Steal Your Phone Number
Let’s run through a hypothetical situation to show how this might look in practice. Imagine a cybercriminal steals your mobile phone number and attempts to log in to your bank account. They call T-Mobile from a new phone and tell the representative, “I just bought a new iPhone, so I’d like to move my number from my old phone.”
The T-Mobile representative will ask the caller to verify they are the authorized account holder (which, of course, they aren’t). Most often, they’ll ask for the last four digits of your Social Security Number, or a security question that is easy to find online.
Once the cybercriminal “proves” that they’re you, the T-Mobile rep will release your phone number from the old phone and assign it to the new mobile phone, which deactivates service to your handset. Once that process is complete, the criminal now owns your phone number and can receive every text message sent to it.
One by one, the criminal will take control of your online accounts by doing password resets along with the actual PIN texted to your phone number.
To keep your mobile phone number from being stolen, set a random, six-digit account owner PIN with your mobile phone carrier and store it in your password manager. (You’ve paid for a high-quality one, right? Either 1Password or LastPass are great choices.)
If you want to move away from text message PINs as a second factor of authentication, use an app like Google Authenticator or Microsoft Authenticator that mathematically generates one-time passwords. Most popular websites work with these apps.
You’re More Secure with an iPhone
Despite the text messaging system itself being insecure, the iPhone is a very secure phone. In fact, even law enforcement struggles to get data from an iPhone.
Up until the iPhone came on the scene, it was very easy for law enforcement to get info from people’s phones. They even had dedicated workstations in police stations for downloading information from suspects’ and victims’ phones. The latest iPhone models do not allow them to do that. It will only give information if the owner authenticates it.
Apple has a special chip that they designed specifically for security, and the chip is part of a subsystem called the Security Enclave. That is a place where you can store secrets on your iPhone that no one can access, like an uncrackable safe.
An important tip: be sure to set at least a six-digit unlock code on your mobile phone. It’s just too easy to guess a four-digit PIN.
Start Securing Your Accounts Today
Two-factor authentication can be very secure. When it’s done well and in combination with a password manager, it’s your best option for protecting your sensitive data.
Start with the institutions that carry your most sensitive data—such as banks and cloud services—and enable two-factor authentication if they make it available.
For more advice on two-factor authentication, you can find Fire Doesn’t Innovate on Amazon.
Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI).