With some recent security scares surfacing in the online bloggoshpere – dropbox being one of them (do a quick google) I read an article explaining the concept of two step authentication.
Two step authentication is essentially an attempt to improve the security of the widely accepted password system used online.
The trouble with a password is – as I’m sure you’re aware – if someone has your password, they can access your account, shopping list, email, social media or whatever service the password protects. The issue progresses further as the same password often protects all of these services, rather than just one.
Two step authentication works on the principle that the password and a second piece of information is required in order to access the account. Some banks have used this system for a long time with online banking. – A small card reader which generates a short code which protects certain transactions (not log ins).
To protect a service, the user enters their password as normal, and they are then prompted for a second code which changes on each log in attempt. This may initially seem like a giant PIA, however when associated with important services it is a small inconvenience – when implemented correctly.
I use a password management service (LastPass – which is excellent by the way), and this service by its nature, protects a lot of log in details. Two step authentication with LastPass works as such:
Log in with LastPass password, open Google Authenticator app on your phone (iOS + Android) and enter the code it generates.
It really doesn’t take long and there are numerous “oh my God, I’ve lost my phone” options to access / secure your account.
The same applies for Google logins too – both on Android and the web.
Google’s system goes one step further (as it covers numerous services) in that “application specific” passwords can be generated so for example, the password authenticating my Google account on my phone and be instantly revoked, thus disconnecting my handset from my google account. It also makes my Google services much more difficult to get into in the first place.
One caveat is that there is the option to ‘trust’ the computer when loggin in – disabling the two step authentication. This isn’t too much of an issue though as all Google services can be remotely logged out from, thus re-enabling the two step authentication.
Two step authentication is coming to more and more services, with Dropbox next on the list (when the next update is released) and I would strongly (and highly!) recommend enabling the option wherever possible.
I just wanted to add a list of services which support this service that I’ve come across so far:
WordPress! (Via Google Authenticator plugin – read their website as it needs enabling before protection is active).