Today I want to talk to you about using "two-factor authentication," also known as two-step authentication, for signing onto websites that you consider critical. Critical might be sites, if accessed by hackers, would cause a serious disruption to your life. For you it might be your financial institution or securities trading site. For your children it might be their Facebook or Twitter accounts.
The concept of two-factor authentication is simple. It requires not one but two pieces of privileged information before granting access to an online account. It can work in one of two ways: You sign onto a website in the usual manner, entering your user name and password. But then a second step is required.
One way is to ask a question that you have previously set up and answered - your maternal grandmother's middle name, etc. The theory here is that a hacker who might have gained access to your password will not know the answer to the question.
The second method, which is a bit more complicated, is considered safer. You sign onto the website in the usual manner – user name and password - then the site sends to another single use password that has been randomly generated, say to your cell phone via text messaging. You then enter this one time password to gain entrance to your account.
The theory here is that if someone hacks your user name and password somehow, they also don't have access to your phone. They will be unable to submit the second password that has been sent you and your account will remain locked.
You should not carry your financial information on your phone, and you should not access your financial institution account from your phone. The same hold true about accessing your bank from a public computer say in an airport lounge, a coffee shop or a hotel business office. If you do, bad things can happen.
Most banks and other financial institutions offer two-factor authentication by various names. For instance, just as an example, Bank of America calls theirs "SafePass." It requires users to enter a one-time, 6-digit passcode to authorize various kinds of transactions. The passcode is sent to your phone or other "trusted device" once you log onto your account, and is good for ten minutes. After ten minutes you have to ask for another.
Google and Facebook have offered two-factor authentication as an optional security measure since 2011. Dropbox is now offering it as is Apple iCloud. Microsoft has just come on line with its process for Microsoft Account users, and Twitter says its version is on the way.
Make no mistake, adding two-factor authentication to an account is going to mean adding some degree of time, and yes annoyance, to the signing in process. But the extra minute is a relatively small price to pay if the downside of a hacker gaining entrance to the account as you is too great.
Two-factor authentication is not foolproof. If you set it up in some account to send a password to your phone, and you have your access information on that phone and the phone is not password protected and you lose the phone…↑.well you get it, I'm sure.
But two-factor authentication is a valuable addition to protect those accounts most important to you.