4 min read

Passwords just aren't enough

Passwords, it's near impossible to have never used those jumble of characters these days. I've posted about the use and management of passwords before. But these days passwords just aren't enough. Especially when people tend to use very simple passwords and using them on multiple websites. But like I said I posted on that subject before so I'm not going to do the name and shame game...you have been warned before! No instead I'm going to tell you how to increase security of your digital selves by using something more then just a password to authenticate yourself when logging in on something like Facebook. What if I told you that you can easily add an extra level to your current method of authentication by a simply adding your mobile phone number to your account. Sure I hear you saying...but all that extra effort and for what? Well an extra layer of security for starters but it's not that hard to add this. And besides you won't have to authenticate yourself with your mobile phone every time you login to a service like Facebook, Google, Dropbox, etc. but just when you login from an unknown device or after a certain amount of days. It's called two-factor authentication. And this is what Wikipedia has to say on it:

Two-factor authentication is commonly found in electronic computer authentication, where basic authentication is the process of a requesting entity presenting some evidence of its identity to a second entity. Two-factor authentication seeks to decrease the probability that the requestor is presenting false evidence of its identity. The number of factors is important, as it implies a higher probability that the bearer of the identity evidence indeed holds that identity in another realm (e.g., computer system vs real life). In reality, there are more variables to consider when establishing the relative assurance of truthfulness in an identity assertion than simply how many "factors" are used. Two-factor authentication is often confused with other forms of authentication. Two-factor authentication requires the use of two of the three authentication factors. The factors are identified in the standards and regulations for access to U.S. Federal Government systems. These factors are:
  • Something the user knows (e.g., password, PIN, pattern)
  • Something the user has (e.g., ATM card, smart card, mobile phone)
  • Something the user is (e.g., biometric characteristic, such as a fingerprint)
Basicly this break down to you using your credentials (username & password) that you are already familiar with and a mobile phone that can either receive a text message or can generate a code by using an smartphone app. I'll show you how to enable it for a few services.

Head over to Dropbox (be logged in of course) and go to Settings > Security and click on change just in-front of Two-step verification. The rest of the settings should be straight forward.

Click this link for Facebook to navigate to Login Approvals (Facebook's way of saying two-factor authentication) then click the checkbox and run through the settings. Next time you login from an unknown device you will get a text via your mobile device and use it to authenticate yourself.

Google was probably the first to introduce two-factor authentication to its users back in September of 2010. To set up two-factor head over to your Google Account and navigate to the Security section. Then it's a matter of clicking on Settings under the 2-step verification heading and working through the options. You can choose to use text messages (similar to Facebook) or use a application called Google Authenticate which generates time based codes. You might also consider adding a backup phonenumber and using the printable backup codes. The backup codes are useful in case of an emergency.

There are many services that offer two-factor authentication these days among those are also Microsoft, Apple and many more so check the security settings of the service your using if you wish to enable it.I will however mention how to enable SSH two-factor authentication for the more tech savvy users among us. I've seen two methods of enabling it but only successfully tested one. The first was posted on Howtogeek which has some well written howto's (that are very easy to follow) but this one didn't work on my version of Linux. It might however work fine for yours. The second one works just fine however it uses a hardcoded secret so if you want to enable it on a per users basis you will have to update the python code or use the Howtogeek option. I'll leave you with a bit of wisdom from the same Wikipedia page I quoted earlier or Limitation of two-factor authentication:

Limitations According to proponents, TFA could drastically reduce the incidence of online identity theft, and other online fraud, because the victim's password would no longer be enough to give a thief permanent access to their information. However, many TFA approaches remain vulnerable to man-in-the-browser and man-in-the-middle attacks.[3] In addition to such direct attacks, three aspects must be considered for each of the 2 (or more) factors in order to fully realize the potential increase in confidence of authentication:
  • The inherent strength of the mechanism, i.e. the entropy of a secret, the resistance of a token to cloning, or the uniqueness and reliability of a biometric.
  • Quality of provision and management. This has many aspects, such as the confidence one can have that a token or password has been securely delivered to the correct user and not an imposter, or that the correct individual has been biometrically enrolled, as well as secure storage and transmission of shared secrets, procedures for password reset, disabling a lost token, re-enrollment of a biometric, and prompt withdrawal of credentials when access is no longer required.
  • Proactive fraud detection, e.g. monitoring of failed authentication attempts or unusual patterns of behavior which may indicate that an attack is under way, and suitable follow-up action.