Passwords alone are hopelessly weak and fragile security measures.
Don’t be fooled by the myth that creating a stronger password will somehow make you safe online. You can create a password that is so long and complex it takes you five minutes to type, and it will do nothing to protect you if the service where you use that password stores it improperly and then has their server breached. It happens regularly.
And even with reasonable policies in place (complexity, changed regularly, not reused), people are still the weakest link in the security chain. Social engineering can convince even intelligent people to enter their credentials on a phishing site or give them up over the phone.
The solution is two-factor authentication, or 2FA. (Technically, it should be called multi-factor authentication, but 2FA is the most common form, so that’s the term I’ll use in this article.)
Turning on 2FA for a service changes the security requirements, forcing you to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device. Those two forms of authentication can come from any combination of at least two of the following elements:
“Something you know,” such as a password or PIN
“Something you are,” such as a fingerprint or other biometric ID
“Something you have,” such as a trusted smartphone that can generate or receive confirmation codes
For the most part, the two-factor authentication systems you see in place today use the first item, your password, and the last item, your smartphone. Smartphones have become ubiquitous, making them ideal security devices.
Your smartphone can assist with authentication by providing a unique code that you use along with your password to sign in. You can acquire that code in one of two ways: sent as a text message from the service, or generated by an app installed on your phone.
Here, for example, is what I saw moments ago when I tried to sign in to my Gmail account from a browser I had never used before.
If this sign-in request were from someone who had stolen my Google account credentials, he’d be stopped dead in his tracks. Without that code, he can’t continue the sign-in process.
I prefer the option to use an authenticator app rather than receiving codes via text message whenever possible, and so should you. The reason is simple logistics. There are times when you have access to the Internet (via a wired connection or Wi-Fi) but don’t have the ability to receive a text message, because your cellular signal is weak or nonexistent, or you’re using a different SIM while traveling.
The most popular 2FA app is Google Authenticator, which is available on iOS and Android. But if you use another platform, you can almost certainly find an alternative: Because the process for generating secure tokens is based on open standards, anyone can write an authenticator app that performs the same function.
Read more at ZDNET