{"id":61436,"date":"2014-08-12T20:20:26","date_gmt":"2014-08-13T00:20:26","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2021-07-20T12:43:56","modified_gmt":"2021-07-20T16:43:56","slug":"who-needs-two-factor-authentication","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/who-needs-two-factor-authentication\/","title":{"rendered":"Who Needs Two-Factor Authentication"},"content":{"rendered":"<p data-textannotation-id=\"538f7fbc68d534eeaaf7a4a5c6900e7d\"><em><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-92087 \" title=\"Who Needs Two-Factor Authentication\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/att-ipad-data-breach-hits-home-1.jpg?resize=92%2C69&#038;ssl=1\" alt=\"Who Needs Two-Factor Authentication\" width=\"92\" height=\"69\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/att-ipad-data-breach-hits-home-1.jpg?resize=150%2C113&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/att-ipad-data-breach-hits-home-1.jpg?resize=75%2C56&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/att-ipad-data-breach-hits-home-1.jpg?w=430&amp;ssl=1 430w\" sizes=\"auto, (max-width: 92px) 100vw, 92px\" \/><\/em><em>The recent <a title=\"Russian Hackers Amass Over a Billion Internet Passwords\" href=\"https:\/\/www.nytimes.com\/2014\/08\/06\/technology\/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html\" target=\"_blank\" rel=\"noopener noreferrer\">epidemic<\/a> of online security breaches has shown the folly of passwords as the sole protector of your online data. As I have covered several times, <\/em><em>most users <a title=\"25 Most-Used Passwords Revealed\" href=\"http:\/\/wp.me\/p2wgaW-4zA\" target=\"_blank\" rel=\"noopener noreferrer\">depend on the<\/a> <a title=\"Password Insecurity\" href=\"http:\/\/wp.me\/p2wgaW-uw\" target=\"_blank\" rel=\"noopener noreferrer\">same passwords<\/a>. So what are we to do? <\/em>One solution is <strong>Two-Factor Authentication<\/strong>.<\/p>\n<p data-textannotation-id=\"538f7fbc68d534eeaaf7a4a5c6900e7d\"><a title=\"John Shier\" href=\"http:\/\/nakedsecurity.sophos.com\/author\/johnshier\/\" target=\"_blank\" rel=\"noopener noreferrer\">John Shier<\/a> at <a title=\"Sophos\" href=\"https:\/\/web.archive.org\/web\/20240415214827\/https:\/\/www.sophos.com\/en-us\" target=\"_blank\" rel=\"noopener noreferrer\">Sophos<\/a>&#8216; <em><a title=\"Naked Security blog\" href=\"http:\/\/nakedsecurity.sophos.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Naked Security<\/a><\/em> blog <a title=\"Security essentials: What is two-factor authentication?\" href=\"http:\/\/nakedsecurity.sophos.com\/2013\/10\/10\/security-essentials-what-is-two-factor-authentication\/\" target=\"_blank\" rel=\"noopener noreferrer\">provided<\/a> a primer on multi-factor authentication. Two-Factor Authentication is a subset of <a title=\"Multi-factor authentication\" href=\"http:\/\/en.wikipedia.org\/wiki\/Multi-factor_authentication\" target=\"_blank\" rel=\"wikipedia noopener noreferrer\">Multi-factor authentication<\/a> (MFA).\u00a0 MFA is an authentication process where two of three recognized factors are used to identify a user:<\/p>\n<ul>\n<li><strong>Som<a href=\"https:\/\/www.bestvpn.com\/\" target=\"_blank\" rel=\"authentication multi-factor noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-92091\" title=\"multi-factor authentication\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/2fa.png?resize=143%2C82&#038;ssl=1\" alt=\"multi-factor authentication\" width=\"143\" height=\"82\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/2fa.png?resize=150%2C86&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/2fa.png?resize=75%2C43&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/2fa.png?w=602&amp;ssl=1 602w\" sizes=\"auto, (max-width: 143px) 100vw, 143px\" \/><\/a>ething you know<\/strong> &#8211; usually a password, passphrase, or PIN.<\/li>\n<li><strong>Something you have<\/strong> &#8211; a cryptographic smartcard or token, a chip-enabled bank card, or an RSA <a title=\"SecurID\" href=\"https:\/\/web.archive.org\/web\/20150317011005\/http:\/\/www.emc.com:80\/security\/rsa-securid.htm\" target=\"_blank\" rel=\"homepage noopener noreferrer\">SecurID<\/a>-style token with rotating digits<\/li>\n<li><strong>Something you are<\/strong> &#8211; fingerprints, iris patterns, voiceprints, or similar<\/li>\n<\/ul>\n<h4>How two-factor authentication works<\/h4>\n<p><a title=\"Two-factor authentication\" href=\"http:\/\/en.wikipedia.org\/wiki\/Two-factor_authentication\" target=\"_blank\" rel=\"wikipedia noopener noreferrer\">Two-factor authentication<\/a> works by demanding that two of these three factors be correctly entered before granting access to a system or website. So if someone manages to get hold of your password (something you know), the article says they still will not be able to get access to your account unless they can provide one of the other two factors (something you have or something you are).<\/p>\n<p><a href=\"https:\/\/web.archive.org\/web\/20170125044337\/http:\/\/www.poweryourpractice.com:80\/\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-92095\" title=\"Data breach\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/what-to-do-after-security-breach2-1.jpg?resize=109%2C109&#038;ssl=1\" alt=\"Data breach\" width=\"109\" height=\"109\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/what-to-do-after-security-breach2-1.jpg?resize=150%2C150&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/what-to-do-after-security-breach2-1.jpg?resize=75%2C75&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/what-to-do-after-security-breach2-1.jpg?w=347&amp;ssl=1 347w\" sizes=\"auto, (max-width: 109px) 100vw, 109px\" \/><\/a>The author explains that secure tokens with rotating six-digit codes can be used to remotely access internal systems via a VPN session. Users need to give a username, a password, and the six-digit code from the <a title=\"Security token\" href=\"http:\/\/en.wikipedia.org\/wiki\/Security_token\" target=\"_blank\" rel=\"wikipedia noopener noreferrer\">secure token<\/a> appended to a PIN. Home users can use a sort of two-factor authentication using <a title=\"Short Message Service\" href=\"http:\/\/en.wikipedia.org\/wiki\/Short_Message_Service\" target=\"_blank\" rel=\"wikipedia noopener noreferrer\">SMS<\/a> code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).<\/p>\n<p>The availability of mobile network service and the unreliable nature of SMS can make SMS 2FA difficult. However, some services allow you to use an authenticator app in addition to your password which presents you with a different numeric one-time password (<a title=\"One-time password\" href=\"http:\/\/en.wikipedia.org\/wiki\/One-time_password\" target=\"_blank\" rel=\"wikipedia noopener noreferrer\">OTP<\/a>) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.<\/p>\n<p>Authenticator apps can be great for signing into sites like Google, Facebook, and Twitter even when your phone does not have service (mobile or otherwise).<\/p>\n<h4>Two-factor authentication makes it harder<\/h4>\n<p data-textannotation-id=\"e77950f769fff554d156648111fbb8ea\"><a href=\"https:\/\/mrktngguys.wordpress.com\/2010\/04\/06\/top-5-marketing-essentials-for-2010-part-4\/\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-92098\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/spam-email-reject.jpg?resize=110%2C110&#038;ssl=1\" alt=\"SPAM email\" width=\"110\" height=\"110\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/spam-email-reject.jpg?resize=150%2C150&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/spam-email-reject.jpg?resize=75%2C75&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/spam-email-reject.jpg?w=347&amp;ssl=1 347w\" sizes=\"auto, (max-width: 110px) 100vw, 110px\" \/><\/a><a title=\"Parker Higgins\" href=\"https:\/\/web.archive.org\/web\/20161011224632\/https:\/\/www.eff.org\/about\/staff\/parker-higgins\" target=\"_blank\" rel=\"noopener noreferrer\">Parker Higgins<\/a> at the <a title=\"EFF\" href=\"https:\/\/www.eff.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">EFF<\/a>, <a title=\"How to Enable Two-Factor Authentication on Twitter (And Everywhere Else)\" href=\"https:\/\/www.eff.org\/deeplinks\/2013\/05\/howto-two-factor-authentication-twitter-and-around-web\" target=\"_blank\" rel=\"noopener noreferrer\">says<\/a> normal password logins, which use single-factor authentication, just check whether you <em>know <\/em>a password. This means anybody who learns your password can log in and impersonate you. Adding a second factor, like a PIN, something you know, with your ATM card, something you have, makes it harder to impersonate you. You need to both have a card and know its PIN to make a withdrawal.<\/p>\n<p data-textannotation-id=\"e77950f769fff554d156648111fbb8ea\">Online two-factor authentication brings the same concept to your services and devices by using your phone\u2014which means that even if your password is compromised by a keylogger in an Internet caf\u00e9, or through a company&#8217;s security breach, your account is safer according to the EFF.<\/p>\n<p data-textannotation-id=\"06ac8b194768a309e66b3aed92101eb1\">That&#8217;s important because phishing, which is one of the most common ways in which accounts are compromised, only gets information about passwords. By adding a different factor, phishing attacks become much more complicated and much less effective according to Mr. Higgins.<\/p>\n<p data-textannotation-id=\"28146649734889d0d7cfebe1666a5562\">A<a href=\"https:\/\/web.archive.org\/web\/20140616212005\/http:\/\/www.allspammedup.com:80\/2013\/09\/study-are-women-more-vulnerable-to-phishing-attacks\/\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-92101\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/spam-phishing.jpg?resize=91%2C116&#038;ssl=1\" alt=\"Phishing\" width=\"91\" height=\"116\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/spam-phishing.jpg?resize=118%2C150&amp;ssl=1 118w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/spam-phishing.jpg?resize=59%2C75&amp;ssl=1 59w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/2014\/08\/spam-phishing.jpg?w=758&amp;ssl=1 758w\" sizes=\"auto, (max-width: 91px) 100vw, 91px\" \/><\/a>s\u00a0two-factor authentication systems become more popular, they have gotten increasingly user-friendly; the EFF believes it doesn&#8217;t have to be a difficult trade-off of convenience for security. Major services like <a title=\"Getting started with login verification\" href=\"https:\/\/blog.twitter.com\/2013\/getting-started-with-login-verification\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>, <a title=\"Google 2-Step Verification \" href=\"http:\/\/www.google.com\/landing\/2step\/\" target=\"_blank\" rel=\"noopener noreferrer\">Google<\/a> (<a title=\"NASDAQ : GOOG\" href=\"https:\/\/www.tradingview.com\/symbols\/NASDAQ-GOOG\/\" target=\"_blank\" rel=\"noopener noreferrer\">GOOG<\/a>), <a title=\"Protecting your LinkedIn Account with Two-Step Verification\" href=\"https:\/\/web.archive.org\/web\/20211215120855\/https:\/\/blog.linkedin.com\/2013\/05\/31\/protecting-your-linkedin-account-with-two-step-verification\" target=\"_blank\" rel=\"noopener noreferrer\">LinkedIn<\/a>\u00a0(<a title=\"NYSE : LNKD\" href=\"https:\/\/www.google.com\/finance?cid=13210501\" target=\"_blank\" rel=\"noopener noreferrer\">LNKD<\/a>), <a title=\"Introducing Login Approvals\" href=\"https:\/\/www.facebook.com\/note.php?note_id=10150172618258920\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>\u00a0(<a title=\"NASDAQ : FB\" href=\"https:\/\/www.tradingview.com\/symbols\/NASDAQ-FB\/\" target=\"_blank\" rel=\"noopener noreferrer\">FB<\/a>), <a title=\"How do I enable two-step verification on my account?\" href=\"https:\/\/web.archive.org\/web\/20170327104147\/https:\/\/www.dropbox.com\/en\/help\/363\" target=\"_blank\" rel=\"noopener noreferrer\">Dropbox<\/a>, <a title=\"Frequently asked questions about two-step verification for Apple ID\" href=\"https:\/\/support.apple.com\/kb\/HT5570\" target=\"_blank\" rel=\"noopener noreferrer\">Apple<\/a> (<a title=\"NASDAQ : AAPL\" href=\"https:\/\/www.tradingview.com\/symbols\/NASDAQ-AAPL\/\" target=\"_blank\" rel=\"noopener noreferrer\">AAPL<\/a>), <a title=\"Microsoft\" href=\"http:\/\/www.microsoft.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft<\/a> (<a title=\"NASDAQ | MSFT\" href=\"https:\/\/www.google.com\/finance?cid=358464\" target=\"_blank\" rel=\"noopener noreferrer\">MSFT<\/a>). <a title=\"Two-factor Authentication\" href=\"https:\/\/github.com\/blog\/1614-two-factor-authentication\" target=\"_blank\" rel=\"noopener noreferrer\">GitHub<\/a>, <a title=\"Two-Step Verification Available to All Users\" href=\"https:\/\/web.archive.org\/web\/20180701070719\/https:\/\/blog.evernote.com\/blog\/2013\/10\/04\/two-step-verification-available-to-all-users\/\" target=\"_blank\" rel=\"noopener noreferrer\">Evernote<\/a>, <a title=\"Security \u00bbTwo Step Authentication\" href=\"http:\/\/en.support.wordpress.com\/security\/two-step-authentication\/\" target=\"_blank\" rel=\"noopener noreferrer\">WordPress<\/a>,\u00a0<a href=\"http:\/\/www.yahoo.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Yahoo<\/a> (<a href=\"https:\/\/www.tradingview.com\/chart\/YHOO\/EWjh1a3K-The-last-YHOO-chart-for-posterity-hello-AABA\/\" target=\"_blank\" rel=\"noopener noreferrer\">YHOO<\/a>) <a title=\"How to Set Up Yahoo's Two-Step Verification and App Password\" href=\"http:\/\/news.softpedia.com\/news\/How-to-Set-Up-Yahoo-s-Two-Step-Verification-and-App-Passwords-387736.shtml\" target=\"_blank\" rel=\"noopener noreferrer\"> Mail<\/a> and <a title=\"Amazon\" href=\"http:\/\/www.amazon.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon<\/a> (<a title=\"NASDAQ : AMZN\" href=\"https:\/\/www.tradingview.com\/symbols\/NASDAQ-AMZN\/\" target=\"_blank\" rel=\"noopener noreferrer\">AMZN<\/a>) <a title=\"Multi-Factor Authentication \" href=\"http:\/\/aws.amazon.com\/iam\/details\/mfa\/\" target=\"_blank\" rel=\"noopener noreferrer\">Web Services<\/a> have enabled two-factor authentication<b>.<br \/>\n<\/b><\/p>\n<p data-textannotation-id=\"28146649734889d0d7cfebe1666a5562\"><strong><em>rb-<\/em><\/strong><\/p>\n<p><em>Users should get used to two-factor authentication. 2FA is not available everywhere but\u00a0<\/em><em>many of the most popular sites and services on the internet use the technology.<\/em>\u00a0 <em>Hopefully, this will compel the rest to follow suit. There is Android malware in the wild that is specifically designed to steal SMS verification codes trying to thwart 2FA so you still need anti-malware on your mobile devices.<\/em><\/p>\n<p><em>In the wake of recent POS attacks (<a title=\"Remote Desktop Opens Door to POS Malware\" href=\"http:\/\/wp.me\/p2wgaW-iyk\" target=\"_blank\" rel=\"noopener noreferrer\">which I covered here<\/a>), <a title=\"U.S. Gov Recommends 2FA for POS Remote Access Security\" href=\"https:\/\/www.duosecurity.com\/blog\/u-s-gov-recommends-2fa-for-pos-remote-access-security\" target=\"_blank\" rel=\"noopener noreferrer\">DHS has recommended 2FA <\/a>for POS systems. While it is not bulletproof, it does increase your security by making it harder for your accounts to be compromised. <\/em><em>All users will need Two-Factor-Authentication Authentication.<\/em><\/p>\n<h6>Related articles<\/h6>\n<ul>\n<li>Fending off automated attacks with two-factor authentication (cloudentr.com)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on <a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A solution to many data breaches is 2FA if attacker gets your password they cant get access to your account unless they have another authentication factor<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[2292,2682,420,101,266,536,92,317,696,82,421,2213,2216,209,2215,4,2214,1384,281,1546],"class_list":["post-61436","post","type-post","status-publish","format-standard","hentry","category-security","tag-2292","tag-2fa","tag-aapl","tag-apple","tag-eff","tag-goog","tag-google","tag-linkedin","tag-lnkd","tag-microsoft","tag-msft","tag-multi-factor-authentication","tag-otp","tag-password","tag-pin","tag-security","tag-security-token","tag-sms","tag-sophos","tag-two-factor-authentication"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/61436","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=61436"}],"version-history":[{"count":19,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/61436\/revisions"}],"predecessor-version":[{"id":131270,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/61436\/revisions\/131270"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=61436"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=61436"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=61436"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}