Using your phone to prove who you are adds an extra layer of protection to your online accounts.
The recent high profile attack on US technology journalist Mat Honan proves that strong passwords alone are not enough to protect you against malicious hackers. After gleaning information from various sources, a hacker tricked Apple’s tech support into granting them access to Honan’s iCloud account. From here the hacker wiped Honan’s iPhone, iPad and MacBook, erased their online backups, deleted Honan’s Google account and took control of his Twitter feed.
Honan was the victim of an elaborate social engineering scam but it’s not that hard for hackers to learn enough about you to impersonate you. The concept of “two-factor” authentication makes it harder for hackers to breach your defences by requiring them to present two forms of identification. Two-factor identification tends to involve something you know, such as a password, and something you have. The something you have might be your fingerprint, a USB stick or a keyring token displaying an ever-changing code. But it can also be a one-time code sent to your mobile phone.
Both Google and Facebook offer the option to enable two-factor authentication to guard against unauthorised access to your accounts. Once activated it texts a one-off code to your mobile phone whenever you try to login from a new computer for the first time. With two-factor authentication enabled, you’re required to enter both your password and the code sent to your phone. Once you’ve logged in you’ve the option to set that computer as a “trusted device” so you’re not continually forced to enter an SMS code when logging in from your own computer.
While two-factor authentication can foil hackers, there are times when it can also make your life more difficult. When setting up two-factor authentication for a Google or Facebook account, you’ll need to manually configure a second password for apps and devices not designed to handle two-factor authentication. This includes running Exchange on a smartphone to access your Google email, contacts and calendars. This takes time but is thankfully a once only process.
Two-factor authentication can also make life difficult if you lose access to your mobile phone or can’t reach the mobile network. As a workaround Google offers its Google Authenticator mobile app for iPhone, Android and BlackBerry, which can generate codes when you’re offline. Facebook offers a similar app, but only for Android. Google also offers the option of printable one-time “backup codes” which you can keep in your wallet in case your phone is out of action.
Two-factor authentication is not a magic bullet for solving all of your online security worries, but it certainly helps. It’s also important to use strong passwords and not to use the same password for multiple services.