The proliferation of the internet is one of the best things to have happened during our time. But while it has proven to be a brilliantly useful tool, in the wrong hands it has also proven to be quite dangerous. With the increase in online accounts, we have also seen an increase in the number of black hat hacks, where nefarious members of the online community have taken hold of someone’s account for committing internet theft or just to write “haha gay1!!1 l0lz” on their Twitter.
All the online accounts come with a basic form of security, a password. A series of letters, numbers, and special characters that form the first line of defence against people who are not you trying to gain access to your account. This may have been enough a few years ago but with the advent of brute force cracking and social engineering, a password, no matter how complicated, can no longer be trusted to be your only security measure.
Unfortunately, a lot of websites still offer a password as the only security measure for your online account. However, a growing number of websites these days also provide a second, more robust line of defense against hackers, the two-step authentication. This is where you will learn what it is, and why you should have had it enabled even before you read this.
A two-step authentication is exactly what it sounds like. Instead of having a single step, that is, entering your password before getting access to your account, there is a second step involved that comes after you enter the password. The way this second step is implemented depends upon the service offering it, but by and large there are three basic types.
The first type involves your phone number; I’m going to use Twitter as an example here. When you enable two-step authentication on your Twitter account, you are required to provide them with your phone number. Once it is enabled, the next time you try to log into your Twitter account, you are first asked the password to your account, as you normally would (Step 1). After that, you will be asked to enter a special code (Step 2). This code is sent to you on your phone number as an SMS. You then enter the code on Twitter, and you are logged in. What this means is that in order to gain access to your Twitter account, not only will someone need your password but also have access to your phone in order to receive the SMS that contains the authentication code. You can see what the odds of those two things happening together are, which makes this method significantly more secure than just using your password.
The second type involves the use of an authenticator app. Instead of using your phone number to send a code, the service, let’s say Microsoft, will instead need you to use an authenticator app. There are several of these apps available on iOS and Android, but the most popular one by far is Google Authenticator. To set this up, you first need to download this app. Then you go to your account settings of the service you’re trying to setup two-step authentication on, which in this case would be your Microsoft account, and enable two-step authentication and choose to use an app. The website will then show you a QR code, which you have to scan using your authenticator app and the account will be added to the app. The app will then generate six digit codes for you, which you can then enter on the Microsoft website during the second step of the login process. In this method, you don’t have to wait for the SMS to arrive on your phone. The codes are locally generated within the authenticator app on your phone and they refresh every 30 seconds, so they are always new. The app doesn’t even need internet connection to generate codes and can work completely offline. And you can add multiple accounts to a single app, so the same Google Authenticator app can have your Google, Microsoft, Twitter, Dropbox, or any other service that uses this form of two-step authentication. Again, as with the previous method, for someone to gain access to your account, they will need your password as well as your device on which you have the authenticator app setup.
The third method is a variation of the second one. Some services have an app that doesn’t even require you to enter the code. Microsoft released an app a few years ago whose only purpose was to verify you when you login. You would first need to log into the app with your Microsoft account. Then you would need to enable two-step authentication for your account through the web browser and select this app as your authenticator. Next time you try to log in your Microsoft account, for the second step, instead of asking you to enter the code the website will ask you to respond to a prompt on your phone. The app on the phone would show a pop up asking whether you want to authenticate yourself and if you select yes you will be logged in on the web browser and you don’t even have to enter any code. Google now has a similar feature for its own accounts, where you can pass the second step simply by clicking a button on your iOS or Android device. On iOS you will need to install the Google search app and on Android you don’t even need to download anything. Simply set the device as your default and you will get system notifications to verify your login.
All three of these methods are secure in increasing order. The SMS method is the most common but the least secure because there is a chance someone could intercept your SMS before it reaches your device. The other two are less common but extremely robust and nothing short of hacking into your service provider’s database or physically stealing your phone can let someone else gain access to your account. It goes without saying that if available, the last two methods are the ones to enable. My favorite is the third one where one click of a button can securely log you in but that does come at the cost of installing a separate app for each service. The second method then is the most practical since you can have one authenticator app for all your two-step supporting services and entering codes manually doesn’t take all that long anyway.
Even with two-step authentication enabled, it is important to have a secure password in the first place. The ideal password is not the one you can remember but complete and utter gibberish that not just you but no normal human can remember or even attempt to remember. It should be a combination of letters, numbers, and special characters and should be as long as the service you are using allows. The question now is, if you can’t remember the password, how do you enter it?
This is where password managers come in. A password manager remembers your passwords for you. A password manager will also generate secure passwords for you. You can select the number of characters you want and it can generate a complete nonsense string of characters. Then, not only will it remember the password and the username and which site it is for but every time you open the site it will also auto fill the details for you and you just have to click a button. This is even easier than remembering your password, and infinitely more secure. Some examples of password managers are 1Password and LastPass. They have apps for desktop as well as mobile and sync the passwords between them so you always have the latest passwords with you. The apps, of course, are password protected and this is the only password you will ever need to remember.
Finally, here are some takeaways for you:
- If the service you are using supports two-step authentication, you have to enable it. You can check here if a particular site or service supports two-step authentication.
- Regardless of whether it supports two-step authentication, you need to use a secure password
- The password needs to be a complex and unmemorable string of characters and should be different for different sites
- Use a password manager. Trust me, you need this in your life. Pay for it if you have to, it’s well worth the money.
- Use a particularly strong password for your primary email account. This is where your other account password reset emails are sent, so you don’t want this to get compromised.
- This goes without saying but don’t share your passwords with anyone. If you must temporarily, immediately change it afterwards.
- Do not log into devices that you don’t own.
I need to stress here separately that there is no need to be paranoid about these things. Following the standard security measures and having a bit of common sense is enough in most cases. It’s also worth noting that most of the time no one really wants to hack you; you are just not all that important. But that’s no reason to leave your security wide open and have ‘password1234’ as your password. Just follow the steps above and you should be good.
If you or someone you know found this article helpful, please consider donating here. Thank you for reading.