Two Factor Authentication – Why it is Important and How to Use it

March 18, 2013, by | Start Discussion

The story so far

Recently we’ve read in the news two huge attacks on two major social networks -Twitter and LinkedIn. These attacks were aimed to steal, from the two DBs, usernames, passwords and even session tokens of the social networks users.

Many have noted that the stolen passwords were hashed, but that is not enough. Many users still use common passwords, so it’s easy for an attacker to obtain the clear password from a hashed one, as easy as a quick rainbow table pass with a quick computer. This means that encrypted a password in a database isn’t enough anymore, but that’s because using only password isn’t enough anymore.

If an attacker stole a Twitter or LinkedIn password database, that means he can login with a huge number of accounts, mainly because those two very important social networks lacks of a fundamental security feature: the two-factor authentication.

This feature is really fundamental because the username and password is too weak, too stealable and too easily guessable even without being a hacker.

So it’s important that, when connecting to an important web service, we use not only something we know, but also something we have.

This kind of feature works typically with a hardware or software token, like this RSA SecurID –

This means that if we have this token, we are the only that can login to the service. Because an attacker can still steal or guess our passwords from our social network’s database, but he must also steal the token from our pockets. And that’s pretty unlikely.

As said before, neither Twitter nor LinkedIn offer two-factor authentication feature. Surely they’re working on that, but it will take some time to implement this form of authentication.

But other social networks and cloud services do offer a very easy two-factor authentication service.

We’re talking about Facebook, Google and Dropbox, let’s see how to set up this important feature and make our accounts more secure.

Facebook

The two-factor authentication feature on Facebook works in two ways. By sending a text message to your cell phone, with the token asked in the login process, or by using the code generator in your smartphone’s Facebook app. But you need to activate this feature first. Let’s see how.

First you need to go to the Security tab of the Account Settings menu, and you’ll find this setting (Fig. 2) –

Figure2

You’ll need to give Facebook your mobile phone number and that’s all!Every time you’ll login to Facebook from a new browser or an old one if you’ve deleted your cookies, Facebook will ask to insert in the login form the code texted to your cell phone.

Or, as said, if you’ve a smartphone with the Facebook app you can obtain a valid code via the Code Generator feature in the app itself (works great in both Android and iOS).

Google

Google’s two-factor authentication feature work very similarly to Facebook’s.

To activate it you’ve to go to the Google Account settings page, Security tab and enable the 2-step verification feature here –

Figure 3

You’ll be asked to provide your phone number and confirm.

Figure4

After that you’ll be able to login to your Google Account only by providing the code sent to your mobile phone.
This is the main way, but as similar to Facebook, you can use a smartphone with the easy Google Authenticator App.

You can download the app from the iTunes or Google app store; it’s free and very easy to set up, since you only need activate the app via a QR Code that Google itself will provide in a specific page.

Figure5

What’s interesting in the Google Authenticator is that it’s not tied to a single account, but you can link the app to multiple Google Accounts, and secure them all in once, since the app will provide a specific code for each account.

What’s still more interesting is that this Google service is not usable only for Google Accounts, but also for third parties services, like Dropbox.

Dropbox

To secure your Dropbox account with a two-factor authentication, provided by Google, you’ll need to go to the Security tab in the Settings menu, and enable the Two-step verification here (Fig. 6).

Figure6

Now you’ll be asked if you prefer to use a text on your mobile phone or a mobile app (Fig. 7).

Figure7

And that’s it! Now if you open your Google Authenticator app, you’ll see this situation –

Figure8

Conclusions

Now we’re analysed a little more in detail what is a two-factor authentication, why it is very important to have it available on a service we use every day and, most of all, how easy is to use.
Not every social network we use has this feature, but to stay more secure we have to use it everywhere it’s offered.

It may be annoying to insert a code, but this step can really improve our safety online.

Federico “glamis” Filacchione, born and living in Rome - Italy, he is a security professional with more than 10 years of experience. He tries constantly to spread security awareness, explaining that security is not a simple tool, but thinking to the same old stuff in a totally different way (and it’s not that hard!). You can read his thought (in Italian) on http://glamisonsecurity.com, follow him @glamis on Twitter

Leave a Reply