Who Are You
The process of proving who you are (called authentication) is a
key step to protecting your online information. You want to be
sure only you have access to your private information, so you
need a secure method to prove who you are, such as when you
check email, purchase something online or access your bank
accounts. You can prove who you are in three different ways:
what you know, such as a password, what you have, such as
your passport, and who you are, such as your fingerprint. Each
one of these methods has its advantages and disadvantages. The
most common authentication method is using what you know:
passwords.
Passwords
You most likely use passwords almost every day in your life. The
purpose of a password is to prove you are who you say you are.
This would be an example of something you know. The danger
with passwords is that if someone else can guess or gain access to
your password, they can then pretend to be you and access all of
the information that is secured by it. This is why you are taught
steps to protect your password, such as using strong passwords
that are hard for attackers to guess. The problem with passwords
is they are quickly becoming dated. With newer technologies it is
becoming easier for cyber attackers to forcibly test and eventually
guess passwords or harvest them with technologies such as
keystroke loggers. A simpler yet more secure solution is needed
for strong authentication. Fortunately, such an option is becoming
more common-something called two-step verification. To protect
yourself, we highly recommend you use this option whenever
possible.
Two-Step Verification
Two-step verification (sometimes called two-factor authentication)
is a more secure way to prove your identity. Instead of requiring
just one step for authentication, such as passwords (which is
something you know), it requires two steps. Your ATM card is an
example. When you withdraw money from an ATM machine, you
are actually using a form of two-step verification. To prove who you
are when accessing your money, you need two things: the ATM
card (something you have) and the PIN number (something you
know). If you lose your ATM card your money is still safe; anyone
who finds your card cannot withdraw your money as they do not
know your PIN (unless you wrote your PIN on your card; which
is a bad idea). The same is true if they only have your PIN and not
the card. An attacker must have both to compromise your ATM
account. This is what makes two-step verification so much more
secure: you have two layers of security.
Using Two-Step Verification
One of the leaders in online two-step verification is Google.
With a variety of free online services such as Gmail, Google
needed to provide a stronger authentication solutions for its
millions of users. As such Google rolled out two-step verification
for most of its online services. Not only is Google’s two-step
verification a free service any Google user can sign-up for, but
other online providers are using similar technology for their
services, such as Dropbox, Facebook, LinkedIn and Twitter. By
understanding how Google’s two-step verification works, you
will understand how many other online two-step verification
services work.
Google’s two-step verification works as follows. First, you
will need your username and password, just as before. This is
the first factor, something you know. However, Google then
requires a second factor, something you have-specifically,
your smartphone. There are two different ways you can use
your smartphone as part of the log in process. The first is to
register your phone number with Google. When you attempt
to authenticate with your username and password, Google will
SMS a new, unique code to your smartphone. You then have
to enter this number when you log in. The other option is to
install Google authentication software on your smartphone. The
software then generates a unique code for you. The advantage
with this second approach is that you do not need to be
connected to a service provider, as your phone generates your
code for you.
Two-step verification is usually not enabled by default.; it is
something you will have to enable yourself. In addition, most
mobile apps are not yet compatible with two-step verification.
For most mobile apps you will need to use application-specific
passwords, which you can generate once you enable twostep
verification. Finally, you may have the option of creating
recovery keys in case you lose your smartphone. We recommend
you print those out and store them in a safe, locked location.
We highly recommend you use two-step verification whenever
possible, especially for critical services such as email or file
storage. Two-step verification goes much further to protect your
information , as criminals have to work much harder
to try and compromise your accounts.