When the majority of our daily work happens online, account security becomes a major concern. Businesses have online accounts to access project plans, customer data, employee data, communication tools, apps, websites, newsletters and social media. What happens when these accounts are compromised? Do options exist for adding another layer of security to the standard login process? The short answer: yes. It’s called two-step verification, also known as two-factor authentication.
What is two-step verification?
Two-factor authentication is a second step in the login process that involves verifying your login with another element beside your password. It’s like adding a zip code for a credit card when fueling a car. Without the zip code, the credit card transaction won’t work. The zip code is the second factor that only the account owner knows. This extra factor adds another layer of protection between the account and a hacker.
How does Google’s two-factor authentication work?
My recent experience with two-step verification occurred when I added my mobile number to a corporate Google account. When logging in, Google sent a verification code to my mobile phone. Accessing the account requires my regular password in addition to a verification code that was texted to my phone.
The password is the knowledge factor (something I know), and the code is the possession factor (something I have) like a number on my mobile phone.
Thinking back, two-step verification was also around when I used my first bank ATM. In that case, my ATM card was the possession factor, and my PIN number was the knowledge factor. Even if my ATM card was stolen, money could not be retrieved from an ATM without my PIN.
As I started to use Google’s two-factor authentication, I realized it was never a problem to log in because I always had my phone to get the code. But what if I didn’t have my phone? How would I log in?
Google outlines ways to deal with the “lost phone” issue. Calls to a landline phone, physical security keys, the Google Authenticator App and printable codes are all options for giving the two-step process plenty of flexibility and backup.
While none of these combinations are completely fail safe (for example, an SMS could be intercepted), it does add another layer for hackers to forge through before accessing an account.
What about other companies?
Since Google’s two-factor authentication went over so well, I decided to check out a few other sites I frequent.
Activating two-step verification on my Twitter account was fairly painless. Twitter calls its service Login Verification, and it’s very easy to set up. Just follow these steps:
- Log in to Twitter.
- Click on your profile image and select Settings from the drop-down menu.
- Click on Security and privacy on the left-hand side of the page.
- Under the Security section, select the checkbox for Verify login requests.
Pretty straightforward. And Twitter isn’t the only company offering two-step verification.
Yahoo! has been my secondary email client for many years. Let’s see how two-factor works in Yahoo email.
- Log in to Yahoo!
- Hover over Account Profile in the upper, right-hand corner.
- Select Account Info in the drop-down menu.
- Select Account security on the left-hand side.
- Toggle Two-step verification on.
Even if you don’t use Yahoo!, there’s likely a way you can add two-step verification to your mail client. Check out their help pages and see what you can do to set it up.
Creating a secure environment for logins is becoming a standard practice across the internet. Services like WordPress, MailChimp and Facebook all have options for increased account security. Simply go to your account settings on any given platform to read their methods for login options.
Is there an industry standard?
When something becomes a common practice across the internet, standards are usually created to ensure ease of use and interoperability between systems. Sure enough, the hot topic of secure logins resulted in a standards body.
The FIDO Alliance (Fast Identity Online) is the industry consortium that manages the U2F standard (Universal 2nd Factor). The U2F protocol strengthens password infrastructures by enabling a strong second factor during user logins.
Authentication apps for your mobile device
If receiving a verification code via SMS is not your first preference, consider apps made specifically for the purpose of secondary authentication. Google Authenticator, Authy and Duo are three apps that generate login passwords.
It’s interesting to think about how these apps work for authentication in cases when the device is offline. Solutions to situations like these are part of the beauty of computer science. To sync the server with an offline device, algorithms exist to generate the codes based on an independent factors, like time on the clock.
Regardless of two-step verification, it’s important to be aware of best practices for strong passwords. For a strong password, you can:
- Combine letters, numbers and symbols
- Avoid common keystrokes like 123456
- Avoid commonly guessed words like “password” or personal information
With a strong, secure password and two-step verification, you’re well on your way to steadfast security. Plus, you can always look into a password manager to keep things organized. Good luck in keeping your accounts locked and out of harm’s way!
Also published on Medium.