You’ve probably seen it before. Your bank website pushing you to use 2FA. Or Facebook “recommending” that you turn it on. Or Twitter… or any of a number of other websites.
First off, what is it? It stands for “Two Factor Authentication”. It’s a means of adding some additional security to your account. It uses something else like texting you, emailing you, or an app on a phone or computer to help increase your security.
So, normally, when you log in, a website wants a username and a password. Well, most people are notoriously bad at passwords and if a password is memorable, it can be guessed and if it can’t be guessed it almost certainly isn’t memorable. This is a problem, and a problem that computer criminals like to exploit.
So let’s walk down how a criminal can attack your account. There are three basic forms of attacks: replay, reset, and infrastructure. Replay is about recording information and then replaying it to break in. Reset is about tricking the system into changing your password. Infrastructure is breaking into one or more machines and telling them to allow the bad guys in.
A replay attack can take several forms, including (but by no means limited to) password breaches and “sniffing” on public WiFi. The end result is the same: the attacker can get a username and password pair for your account. If you use that same username and password pair on multiple websites, then one being compromised means that you now are looking any that use that same username/password pair being compromised. 2FA stops this since the new login will require additional information that the criminals won’t have.
A reset attack is basically the same thing: an attacker using the password reset feature on a website to set the password to something of their own choosing. Using weak or easily looked up information about you (where did you go to school, what are your sibling’s names, etc.) as reset questions compound this problem. 2FA again stops this since the new login will require additional information that the criminals won’t necessarily have.
An infrastructure attack means that the attacker uses other means to break into the system. This can include exploiting bugs in the webserver, bribing someone on staff, to literally inserting bad hardware when the server is manufactured! 2FA won’t stop the break-in to *this* site, but it’ll keep the attack from effecting your accounts on other sites.
So what can you do? Here are some things you can do to help protect yourself:
- Don’t re-use passwords across websites. Use completely different passwords.
- Use a password manager. There are some good free ones, and several excellent for-pay ones. I use 1Password myself; some friends of mine use LastPass. Using the password manager means you won’t need to remember the passwords and it will have a generator to create unguessable passwords.
- Use a strong, unique password* for your password manager. DON’T put that password into anything else electronic. DO write it down and lock it in your safe and/or safety deposit box.
- Use 2FA whenever possible.
- Contact your cell phone carrier and see if you can password protect the porting (transfer to a different carrier) of your cell number.
* See https://xkcd.com/936/ for a technique to create better passwords that are actually far easier to remember. Still, you should be using a password manager to minimize the number of passwords you have to keep in your head.