So you upgraded your password but it dawns on you that passwords are getting stolen all the time and you start to think: wouldn’t it be nice if there were something other than a password to protect your most important accounts?
Turns out there is. It’s called two-step, or two-factor authentication. What is it? Think about the way ATMs work. In order to get your cash, you need two things: something you have (the ATM card itself) and something you know (a 4-digit PIN). Either one alone would be very easy to steal but by their powers combined, they form a level of security that is much greater than the sum of its parts. Hence, two factors.
The proof of the pudding is in the eating and the proof of insecurity is in the magnitude of theft. Hackers can nab 56 million passwords from Home Depot in one go, but for ATMs, they need to set up a lot of sophisticated equipment and steal accounts one at a time. Two factors don’t make theft of your cash impossible, but it does make it a lot harder. Part of what enabled the recent celebrity photo leak is that Apple’s two-factor authentication did not protect iCloud backups (This has been fixed).
Over the past few years, sites have begun offering a two-step authentication option that uses temporary codes sent to your phone. This means that in order to access Gmail, for example, you would need something you know (your password) and something you have (your phone, to get the temporary code).
Ah, you say, but it would be a big pain to have to get a code every time I want to check my email.
Yes, it would be. Which is why these systems are a little different from commercial two factor authentication systems designed for large enterprises. So for example, when you set up Gmail on your phone, you’ll need to enter your code once, the first time you set it up. Someone might steal your phone, of course, but two factor authentication will prevent someone else from setting up your account on their phone to snoop on your email.
On laptops and desktops, you’ll usually have the option to “remember” a code for, e.g., 7 or 30 days. This way, you don’t have to enter the code each and every time but if you ever need to log in to your Gmail from someone else’s computer, you’ll be protected from having your password stolen.
That sounds great, you say. If only there were a website I could go to that listed several popular services, told me whether they supported two-factor authentication or not and if so, link to instructions for how to set it up.
I’m happy to report that someone has done exactly that: https://twofactorauth.org/
If you’re interested, the incident that inspired the creation of this site is a very interesting read. Even if you may not own any valuable digital assets, it’s still worthwhile to see just how much of a sophisticated hack is just basic human manipulation (the technical term for this is social engineering) rather than the technical wizardry you might assume.
Two-factor authentication isn’t for everyone, and I don’t recommend you enable it for every site. But for it’s a great option for the handful of services that are really important to you.
One last question you might be asking: why doesn’t Oxy support two-factor authentication? The simple (albeit unsatisfying) answer is that our environment falls under the category of “complex enterprise deployment” and that makes two-factor much more expensive and complex an option for us. That said, the technology is improving every day and being able to offer two-factor in a user-friendly form is something I’m very keen on. I hope that by the time next year’s NCSAM rolls around, I’ll have something new to announce.