Recently I’ve been receiving a ton of messages from friends and family after losing access to their online accounts. Facebook (probably not surprising to anybody reading this) is one of the biggest targets. Cybercriminals are increasingly targeting online accounts and once they gain access, they change the password and the recovery email. In many cases, this locks the owner out of the account permanently.
Facebook is rarely of help in these situations, famously taking weeks to respond – if they ever respond.
This got me thinking and I wanted to write a post explaining some things that you can do to protect yourself online. If you have any specific questions that you’d like answered or topics that you’d like covered, let me know! Today I’m going to explain two core security tools that you can easily implement: two-factor authentication and password managers.
WHAT IS TWO-FACTOR AUTHENTICATION AND WHY IS IT IMPORTANT?
Two-factor authentication (also called multi-factor, MFA, 2FA, 2-factor, or 2-step authentication) is an additional layer of security that you can enable for many of your accounts. It combines something you know (a password) with something you have (a hardware key or phone that receives codes that you enter). One of the reasons that two-factor authentication helps to protect you online is that even if your password is compromised, the attacker would need access to “something you have” to be able to get the second component that they need to log in as you.
2FA comes in a variety of flavors, but the most basic flow works like this:
- Log in with your username and password
- A text message is sent to your phone
- Enter the code in the text message on the login screen
- You’re logged in
Other methods include:
- A two-factor app on your phone that manages codes for all of your services (like Google Authenticator, Authy, Okta, or Duo)
- A two-factor app that sends requests to your phone with a simple approve/deny option for logins after you enter your username and password
- A hardware key that you plug into a USB port (I use the Yubikey, $25 and works with Google, Facebook, Twitter, Dropbox, and more.)
One point to remember: when enabling two-factor authentication, you are often provided with “backup codes” in case you can’t get to your phone, or your phone isn’t working. Save them somewhere safe. Print them and lock them away, or keep them in a safe place on your computer.
PASSWORD MANAGERS: FRIEND OR FOE?
One big cause of online accounts being taken over is password re-use. If John uses his favorite password on all of his online accounts and one of them gets hacked, that password can now be used to log in to any of his other accounts with little to no effort.
It’s hard to remember a unique password for every web service that you use! This is where password managers come in. Password managers can generate and store unique, secure passwords for you. Your password manager integrates with your browser and your phone to auto-fill these so you only need to remember the password to unlock your password manager.
Another benefit of using a password manager in your browser is that autofill can help prevent you from falling victim to phishing campaigns. This works by only filling in your password at facebook.com, not at fac3book.com or faceb00k.com. Most passwords managers are relatively inexpensive, ranging from free to a few dollars a month.
Now, you’re probably asking me “Ethan, how safe are these password managers? Lastpass made the news with a security incident a few years ago, why should I trust a password manager?”
To this point, I refer you to Security Researcher Troy Hunt, who has an excellent discussion piece on password managers. Troy runs the famous Have I Been Pwned (“HIBP”) website, which is used to compile data found in web breaches so that consumers can be notified if information relating to their email address has been found in a data breach. I encourage you to sign up for HIBP (it’s free, funded by donations and sponsors).
One of my favorite things about HIBP is that it actually can be integrated into password managers to warn you of breaches right there where you keep your passwords.
What Else Can I do?
Some services, such as Facebook have a “Trusted Contacts” feature which allows you to set a few people with the rights to help you recover your account if it’s ever taken over. This is sometimes handy, but you have to set it up ahead of time!