Friday, April 03, 2015

You Should Enable Two-Factor Authentication

A friend apparently had her Gmail account hijacked. It's not completely clear what happened but the best guess is they got in via a password and then they changed the password and enabled two-factor authentication to their phone. Now she can't login and the Google process to regain her account is more arduous because she has to prove she's the real owner even though she doesn't have the password or the phone used for two-factor authentication (there is a process, you provide a lot of info but in this case it's not quite working and there's a 3-5 day waiting period).

So it's a good opportunity to remind people to enable two-factor authentication for accounts where you can. This is from December 2013 but they say they're keeping it updated, Here's Everywhere You Should Enable Two-Factor Authentication Right Now. Also here's a more comprehensive Two Factor Auth List.

So where I've enabled two-factor auth (apparently abbreviated 2FA), I given my cell phone number and receive text messages with a code to enter. This is usually just the first time I login from a device or perhaps after an upgrade so it's not all the time and isn't annoying at all. There is the problem, What Happens If I Use Two-Factor Authentication and Lose My Phone?. Usually sites when you enable 2FA give you backup codes that are good one time only to login just for these cases. Save them, and keep them someplace you can remember where they are and you can access even if you can't access all or parts of your computing environment.

If you upgrade phones but keep your number there isn't a problem, text messages will go to the new number. If you change numbers (I guess even when traveling if you get a new SIM card) you need to update your 2FA accounts with the new number before you change.

To make managing some of this stuff easier there are now apps that act as the second factor instead of a cell phone number. Google has Google Authenticator for its services and I've heard a lot about Authy which works across many 2FA services but haven't used it.

Question: If you've used Authy, let me know how it works for you.

So if you haven't already, enable two factor authentication on your services, before someone else does it for you.

Also, if you can, backup your online data. For mail accounts, if you're using a local Mail program with IMAP, configure it to keep local copies of your mail and keep backups (so if you loose mail and sync and it all goes away you still have backups).

No comments: