ESET, a leading company in proactive threat detection, explain what two-step authentication is and how to configure it so that account security does not depend only on the password, as reported by Alessandro Bazzoni at Nota Oficial.
Passwords are the key to digital information. For this reason, for years they talked about the importance of protecting them, where to store them, and good practices to create strong and secure passwords, avoiding making some of the most common mistakes that could compromise it. However, no matter how careful you are, it is possible that passwords could be exposed in an information breach. This type of event is becoming more frequent. So far this year alone, more than 1 billion accounts from different security incidents have been leaked, among which the recent publication of data from 533 million Facebook users stands out, says Cecilia Pastorino, Security researcher Computing of the ESET Latin America Laboratory.
The password is not the only way to authenticate against a system. In fact, there are 3 different ways to do it:
- Through something we know, such as the classic password, a secret word or question, etc.
- Through something we have, such as a physical card, a digital certificate on a pen drive, a physical or digital token, a smartphone, etc.
- Through something that we are, that is, through biometric data such as fingerprint, iris, facial recognition, etc.
Only one of these three forms is used in the traditional authentication process, usually the password. Two-step -or multifactor- verification proposes combining two authentication methods in such a way that, if one is compromised, the other must be known or known to gain access to the information.
The vast majority of current systems apply this principle to provide an extra layer of protection to their users’ accounts, combining the password (something you know) with a digital token or temporary access code that is received or generated on the phone (something you have). In other words, after entering the usual password, a code will be requested that will be received by SMS or through an app on the smartphone. In this way, if an attacker obtains a password – either because he has been the victim of a deception or because he has leaked into a breach – he will not be able to finish the authentication if he does not have access to the phone where he can receive the temporary code.
Depending on the system or service where two-step authentication is configured, the way in which the smartphone should be used to generate the passcode will vary. Most services ask to enter the phone number where an SMS will be received to confirm the configuration and then each time you log in. Another option is to associate the account with an authentication app, such as Google Authenticator, Authy, or ESET Secure Authentication. These applications are linked to the service to authenticate and work as digital tokens generating random codes every 1 minute.
In some cases, an access code is not used, but the user receives a message with an authorization request on his phone, which he must accept by also placing his fingerprint. In this case, the fingerprint reader of the phones is also used to use the 3 forms of authentication, since in addition to the password and the phone, the user must verify the fingerprint of it.
Below, ESET shares a step-by-step list of how to set up two-step authentication for some of the most popular services: Google, Yahoo, Microsoft (Live, Outlook, Hotmail, etc.), Twitch, Facebook, Instagram, Twitter, and Tiktok. Messaging services can also be configured with two-step verification: WhatsApp, Telegram, Signal and even many tools for videoconferencing or online games include the same, as is the case with Zoom or Fortnite.
Two-step authentication was proven to be the most effective way to prevent account hijacking; However, many users – and even companies – do not implement it due to ignorance or lack of awareness about the risks to which they are exposed. Therefore, although activating this security mechanism is optional, you should always consider activating it to be more protected and thus not depend solely on a password, concludes Cecilia Pastorino, from ESET.
Having a strong password, not using the same one on all sites and activating the second factor of authentication are basic precautionary measures that must be taken into account to avoid being the victim of a hack. In times of quarantine due to the coronavirus it is important to say that the internet traffic increased, as more applications and online services are used. And with this, the risks of falling victim to a cyber-attack increase. Hence, it is essential to place special emphasis on certain media.
In addition to changing the password frequently and avoiding using the same one on all sites, it is important to activate, as already mentioned, the second factor of authentication in all your accounts. Because in this way, if someone were to get your password, either because they obtained it as a result of a leak or through whatever method, they would still not be able to enter your profile because to do so, the system will ask them for a second code to identify their identity.
That second code can arrive by SMS or an authentication application to your cell phone, such as Authy or Google Authenticator (among others), which are easily downloaded from the Play Store or Apple Store. You can also use a physical security key. All of this is configured, from the settings menu, and is available on most of the most popular digital platforms.
This security measure is especially important on those platforms where you have your credit card data loaded. Most offer the option of enabling the second factor of authentication.
Alessandro Bazzoni explained that if you are using a platform where you have sensitive data loaded, such as your card information and you see that it does not have this security measure, you could contact the technical support of that platform to explain how they are taking care of your information or you could, directly, choose to delete that sensitive information or completely stop using the service, if you feel that it does not offer you enough security measures.