Blog

Share this Post:

We need to sit down and have a heart-to-heart talk about safe email. And something called two factor authentication.

Password-Only Authentication

Several people I know have had their personal email accounts hacked into recently, and since you’re electronically active, I’m worried that the same thing could happen to you. I know this is uncomfortable, but I need to ask you a couple of very personal questions:

  • Are you using strong passwords for each of your online accounts?
  • Are you using any additional means of authentication besides passwords?

If not, you risk having your online identity stolen. Brute-force attacks on email accounts are very common, and weak passwords are very easy for automated programs to guess. And once someone gets into your email, well, it’s all over. (My next stop, if I were a hacker, would be your Amazon.com account. Woo-hoo, what fun!)

But even if you use a strong password — the recommended mix of upper and lower-case letters, numbers, punctuation, etc. — you’re still not home safe. Strong passwords are hard to crack, but you could still be duped into giving your nicely complex password away. I’m sure you’ve heard of the phishing schemes involving fake PayPal or bank websites. The bad guys are getting ever more sophisticated. I think I’m fairly good at spotting a phishing scam, but I’m finding it harder and harder to distinguish fake emails from real ones.

Two Factor Authentication

The problem is that a password — even a very strong one — is still just a single form of authentication. It’s just a secret, and we all know how hard they are to keep. As the saying goes, once more than one person knows, it’s no longer a secret.

For additional security, you need a second form of authentication: something you possess, like a key, or, (hey!) your cell phone. This is called two factor authentication, and most popular email providers and online accounts now support it, including Gmail, Yahoo, Hotmail, PayPal, and Facebook.

It works like this; I’ll use Gmail as an example, since I have it set up on my account. When I log into my Gmail account, after I provide my password, I get prompted for an additional verification code, which Gmail sends to my cell phone via text message (or the Google Authenticator app, which I have installed on my iPhone). I read the verification code (which expires after about 30 seconds) off my phone, enter it at the prompt on my computer, and I’m in. It’s quite painless. For convenience, I have my computer marked as a “trusted” computer in Gmail, so I only have to use the verification code once every thirty days.

With two factor authentication enabled, in order for Hacker Igor from the Ukraine to break into my account, he would have to not only guess or steal my password, but also have physical access to my phone. That’s pretty hard to do when it’s in my jeans pocket.

How to Set Up Two Factor Authentication

You can enable two factor authentication in the” settings” page of your online accounts that support it. For specific instructions, just do a Google search for “two factor authentication [site-name]”. Start with your email account; that’s arguably the most important one.

In the corporate environment, Google Apps for Business fully supports two factor authentication, and you can also enforce it domain-wide. We use Google Apps internally and require two factor authentication for all our itfreedom.com accounts. Microsoft Exchange also supports two factor authentication, although it’s still quite involved to set up.