Two Factor Authentication

2FA is an easy way to increase the security and reliability of online accounts. The standard account authentication has been made up of username and password combinations. Any notable security event can easily disclose credentials: poorly developed software, company data sharing, failed system patching. Once a set of credentials is out in the wild, they can easily be obtained to compromise related accounts.

If you use the same password everywhere, you have a problem.

Even unique passwords per site can get leaked. The first layer of defense in the web-secrets pipeline is HTTPS. The number of high profile sites that still have no HTTPS security in play is a bit concerning. Sites not having a proper SSL certificate, should be considered extremely risky. In the grand scheme, we should just assume at some point, all username and passwords will be disclosed. Looking at the well documented data dumps should lend that argument merit. Curious types can see just how special their unique password is with a recent password disclosure search.

We should manage website logons like burner phones.

All credentials should be based on unique passwords for every website.  There are several programs that manage unique passwords, but 1password is best of breed. It gives a user access to all the credentials created from a mobile app, desktop app or within a browser plugin. This makes managing passwords and logon details simple. The key feature though, is the creation of strong unique passwords for every logon, every time.

What every credential needs is something you know and something you possess.

2FA is based on this possession and knowledge predicate. When used, the logon process includes submitting a value that consistently changes over time. Providing an extra layer of security as the account less susceptible to a credential brute force attack. Many accounts require you setup 2FA as a separate step in the account settings section. 2FA is typically added to authenticator app installed on a user's mobile. Giving the owner the ability to enter a rotating token based on the possession of their mobile.A special case is the SMS 2FA system, where a user is sent a code via SMS to enter during logon. Processing 2FA is much less secure because a phone provider could be tricked into SIM-Swap. That would allow a threat actor to generate a 2FA token and sent to the new mobile.

Setting up two factor authentication should be one of the first steps on a security checklist.

Show Comments