Yahoo Finance's Dan Howley discusses what is two-factor authentication and how to use it.
- Also in this week's tech report, you're talking about how to set up 2-factor authorization. This is a very important issue for a lot of people. If you're late to the game, how do you do it?
- Yeah. 2-factor authentication is kind of an extra layer of security. Now, the reason why we bring it up is because the colonial pipeline attack was actually partly responsible, or part of the reason for it was a lack of 2-factor, or what's sometimes called multifactor authentication. Now, 2-factor authentication, again, it's that second layer of security. So when you sign up for a service, you have your password, you have your username, and then sometimes you'll get a notification asking you if you would like to enable 2-factor authentication.
And really what it is if you do that, you will then have to receive a text message with a one-time use passcode. You would enter that into your account after sign in. And then that would allow you to get into your full account. You sometimes get them in other ways. But really what it is here is another way to confirm you are who you say you are. Your password could be stolen, could be hacked. I was just looking over the 2020 Nord's top passwords. And believe it or not, they are pathetic. We're talking about people using things like 123456, 123456789 for a password. Now, if you have a serious account, your maybe 401(k) is online, your social media accounts, your email accounts, anything along those lines, you should be using 2-factor authentication.
And there's three different versions of it. The first, as I said, is that text message version where you would go to enter your account, use your password, your username, and then you would receive a notification saying we will send you a text to your cell number. Those are good. But they're not perfect because in some instances hackers can actually clone your phone number and receive your text messages just as you would. So in that instance, they would be able to use your username, password, and that one-use time pass code to get into your account. A more safer version, or a safer version rather, is one that uses an authenticator app. Now, those are made by the likes of Microsoft or Google. You may even use one with Duo Mobile for work.
What those do is they generate a one-time use passcode that you would enter in addition to your username and passcode. Those are very safe. But the problem is you always need to have your phone on you. And if you get a new phone, you have to deactivate your 2-factor authentication on your old phone and then reactivate it on your new phone. It's a huge to-do. The third version, though, is one that uses a physical hardware key. This is a literal key FOB that you would put on your keychain. And it'll provide you with a number for that one-time use passcode that you would then enter.
Those are also kind of a pain, though, just because you need that piece of hardware with you at all times. And there are some new versions of 2-factor authentication that take into account facial recognition or fingerprint scanners. And those are probably the easiest ones and the most secure because facial scanning is probably one of the most secure ways to fingerprint yourself, or not really fingerprint yourself, but faceprint yourself when you're trying to protect your online identity.
So how important is it to have these? As I said, it is pretty easy at points for hackers to just use brute force attacks-- excuse me-- to break into your account. And if they're able to do that, or they're able to somehow guess it based on something you may have posted online-- you say you're pet's name, you know, you say it's my birthday today, and that's an easy way for a lot of people to have their passwords taken. 2-factor authentication is an important way to protect yourself. And as I said, it could have been used to protect the Colonial Pipeline. And if it comes to your accounts, you want to keep those just as safe. So you might as well use it now.
- Well, Dan, why don't more companies then use this? It seems like it is very easy. I know I use a 2-step authentication for all of my social media accounts. So why don't you think more of these companies use something like this so they wouldn't be put in the same type of position that Colonial Pipeline has been?
- It sounded like from the way that it's been described for Colonial Pipeline that it was just a lax security at that point. This was a legacy VPN profile, meaning it was an older VPN profile that they didn't really use. And it just didn't have it activated. You have to imagine that a lot of companies don't have the best cybersecurity posture. They don't seem to think about it as important as it should be thought of. And that is a real issue going forward. I think now that we're seeing this huge increase in ransomware attacks and cyber attacks in general, we will start to see more companies start to clamp down. But as a regular person, you don't want your accounts broken into. People can spread all sorts of information about you online. They can get access to your important files, access to your financial information.
And if you want to protect yourself, this is really the best way to do it. As I said, there are three ways to do it. They're not the easiest thing on the face of the Earth. Yes, it does add an extra step where you try to log into your account. But really, if you want to stay safe, what do you want to do? Expose your personal information online? Or just keep it locked down by adding that one extra step? Takes about five seconds. It's not that big of a deal.
- I couldn't agree more. And some great advice there, Dan. For the record, all my passwords are Fibonacci sequences. Think about that.