Using Two-Factor Security To Login to Internet Websites

Matt Bonvicin Online Privacy/Security Leave a Comment

Ideally, we should all be using passwords like dasKHJs6^az rather than CollegeMascot14 (I’ve done a lot of tech support in my time and college mascots/chants seem to be the most common passwords). And for that matter a password should never be reused.

But let’s face it: that’s a pain in the butt. I do recommend a good password manager program as you start evaluating your online security but that will be in another USPV e-Privacy post.

Fortunately many websites are offering a great alternative: 2-factor security.

What Is 2-Factor Security?

Normally to login to a website you enter your username (or, more likely, email address) as well as your password. But should someone find out that password they have instant access to your account. In addition, malicious people launch brute force attacks on websites (where programs repeatedly try different passwords). Then there’s the fact that many websites, like companies, just don’t have adequate security measures… resulting in situations such as my credit card being replaced due to the Target breach a few months ago.

Unlike a “normal” login, 2-factor security requires something you have in addition to something you know (your password). So even someone possessing your password still can’t access your account. This is similar to an ATM transaction which relies you both possessing the debit card and knowing the PIN code, but online 2-factor systems usually use your cell phone to send you a single-use number to complete the login process. Now a hacker needs both your password as well as a number on your phone that’s only valid for a minute or so. Which is tough assuming they haven’t stolen your phone.

Configuring 2-Factor Security for GMail

Google was one of the first companies to offer 2-factor security. To get started setting up your account, follow the instructions here: https://www.google.com/landing/2step.

blog20140602_01

First, you’ll be asked for your cell phone number:

blog20140602_02

Next, you’ll be sent a 6-digit number via text message which needs to be entered:

blog20140602_03

Assuming the code was entered correctly you’ll be prompted to “trust” the computer you’re on. If you’re on a personal computer it’s best to check this:

blog20140602_04

And finally, confirm that you’d like to use 2-step verification:

blog20140602_05

From now on when you login, Google will prompt you to send a text message with the security code which you will then enter:

blog20140602_06

At this point you’ll also have the option of “Trusting this computer” so you won’t be asked for a security code again for 30 days. Be sure to not check this unless you’re using your own computer.

A few additional Google-related notes:

  • You can turn 2-factor security off at any time by following the instructions here: https://support.google.com/accounts/answer/1064203.
  • Certain applications such as Microsoft Outlook and many mobile phone/tablet email clients do not support 2-factor security. To use these when you have 2-factor security enabled you’ll need to create application-specific passwords for each. These are individual passwords that bypass two-factor security. You can find details on how to configure these here: https://support.google.com/accounts/answer/185833.

Now Use It!

More and more Internet websites are supporting 2-factor security, such as Dropbox, Facebook and LinkedIn. If you use it more numerous sites I suggest installing Google Authenticator (https://support.google.com/accounts/answer/1066447) or Windows Authenticator (http://www.windowsphone.com/en-us/store/app/authenticator/e7994dbc-2336-4950-91ba-ca22d653759b) on Windows phones:

blog20140602_07 blog20140602_08

These apps show all of your 2-factor security codes in one place and eliminate the need to send text messages.Happy securing!

Share this Post

About the Author

Matt Bonvicin

Facebook Google+

Matt is an entrepreneur, programmer, and database/systems admin who enjoys toying with new technologies. He is a partner at U.S. Private Vaults as well as its Chief Technology Officer.

Leave a Reply

Your email address will not be published. Required fields are marked *