Additional Security: The Importance of Two-Factor Authentication

Ryan Miranda - UI/UX Developer

The (Sad) State of Internet Security

The Armor Techs' blog is full of posts discussing security and passwords, and this post is going to be in much of the same vein. The security of your data on the web is becoming (read: has always been) super important, and the companies we rely on to use our data fairly and transparently aren't upholding their end of the bargain. On top of that, there are countless people and companies participating in less-than-legal practices to obtain your data, whether it be phishing, hacking, or scamming it away from you.

We've discussed passwords and passphrases, and how to use these to protect your information. We've also discussed security, and how to identify what might be a scam versus what is a legitimate correspondence from a company. The unfortunate truth is that these two steps are often just short of providing you the peace of mind that you should have when dealing with sensitive information online. So, the question becomes, "How do I further protect my data online?"

Two-Factor Authentication

Arguably, the easiest step, and the one I'm going to focus on, is Two-Factor Authentication, or 2FA/TFA. Two-Factor Authentication is the process of having a second step, or second factor, in your login process. Many companies accomplish this through an email notification when you log into a new device, through another piece of software or hardware, called an "Authenticator," or even through an SMS text message.

Two-Factor Authentication isn't a new concept, and the internet isn't the reason it came to be. One of the earliest adopters of TFA is in banking with a debit card. Let's set this up as an analogy: your debit card is your initial username and password—it has your account number, is tied directly to your name, and identifies that you are who you say you are. However, in order to access your account, and the money inside it, you have a second factor of authentication, that being your Personal Identification Number, or PIN.

The idea of TFA comes back to trying to prevent identity theft, both in our analogy above and in practice on the internet. If somebody has access to your debit card that they shouldn't, they're attempting to steal your identity in some capacity. Since your PIN is supposed to be a personal number that only you know, it prevents these users from being able to fully steal your identity without it. This idea comes full circle when talking about TFA on the internet.

Say somebody has your email address and password. They can sign you up for just about anything on the internet with just these two pieces of information, and sometimes the results can be catastrophic. Now, if your email account itself has TFA tied to it, even if they sign you up for everything under the sun, they won't be able to verify the email address, and (for the most part) that's the end of the damage they can do. If you didn't have TFA enabled on your email, they basically have access to your entire online presence.

Another Look at TFA

Take a moment to do a little math: how many services do you use that identify you by email address? Social media, streaming services like Netflix, news websites where comments are left publicly, and so many more are all at risk without this additional layer of security. And the worst part of it all? Well, that is that these identity thieves on the internet can change your email password, as well as your password to any service tied to your email. Once that happens, it creates a HUGE headache to try to recover these accounts and to get your online (and possibly offline) presences back in order.

Think about this in another light: you run a business, and you have an office email address. Your company uses this same email address to talk to distributors, clients, sign up for services, do marketing, Pay-Per-Click (PPC) campaigns, and just about anything else. Image how vital it is to protect the data that specific email address allows access to. If it's compromised, essentially your entire business is compromised, and there's no telling how much havoc the potential identity thief is going to cause. From client credit card information to your brand identity on the internet, all of it could be lost due to an insecure password, or lack of security.

Setting Up Your Two-Factor Authentication

Two-Factor Authentication is relatively easy to set up too, especially in the age of smart devices. Google offers an app to integrate into your logins if your company provides an app, or uses any proprietary software, or if a service offers this integration. Otherwise, almost every major service, including Google, Yahoo!, and Microsoft all have ways to enable SMS text message TFA, which is usually right inside of your security setting on your account. And they just released their own FIDO security key called the Titan. Titan Security Keys are built with a hardware chip that includes firmware engineered by Google to verify the key’s integrity. This helps to ensure that the keys haven’t been physically tampered with.

Here's a video Google made about two-step verification basics, which provides a good idea of what's involved.

And a few brief walkthroughs of activating TFA on some of the more popular email services.

Gmail TFA Setup

Two-Factor Authentication has been built into Gmail since early 2011, and setting it up is as easy as setting up a new Gmail account. All you need to do is visit your account settings and click on the Sign-in & security section. Right in the middle of your screen should be a "2-Step Verification" box, that is labeled "off." Clicking on that box leads you through Google's Two-Step Verification wizard, which walks you through a step-by-step the process of enabling this additional security for your account.

Yahoo! TFA Setup

Two-Factor Authentication is just as easy to set up for your Yahoo! email account. First, log into your Yahoo! account and go to your Account Info page, located under the user icon in the upper right-hand corner. Once there, click on Account Security, and then into the Two-Step Verification box. From here, just make sure it's enabled, and enter your mobile number into the field provided. Then, you will receive a confirmation message with a code, enter that into your web browser, and Two-Factor Authentication will be enabled for your account.

Microsoft TFA Setup

Microsoft, much like the services above, makes it super easy to set up Two-Factor Authentication. Microsoft accounts cover many services, from the Microsoft Office 365 services to Outlook and even Xbox Live!, so this could be a vital account to protect with TFA. The first step is to visit the security basics page and log into your Microsoft account. Then, you'll need to click on the more security options section and find the heading for Two-step verification. Click the Setup two-step verification button to begin turning it on, and then follow along with their TFA wizard to get this additional layer of security on your Microsoft account.

Whether it seems vital or not, online security and two-factor authentication can save your life (all but literally). From your business and business ventures, to personal information, all of it can be exponentially more secure by adding two-factor authentication to those accounts. The peace of mind that two-factor authentication offers is hard to match, and with the notifications, you'll receive one anytime someone tries to access the account, so you can be more on top of your online security.

Are you worried about your security online? Not sure how to start the process of setting up two-factor authentication on one of your online accounts? Contact the Armor Techs and let us make sure your online experience is the best, and most secure, that it can be! Do you have additional questions, or want to learn more? Drop us a line on our social media (Facebook or Twitter), or at any of our contact forms on our website and we'll be sure to help you get the information you need!