I am assuming you have already heard about the Heartbleed bug. If not, here’s what it is: most websites use a technology called Open SSL to securely communicate between users and servers. The servers were compromised due to a vulnerability in the Open SSL code. Due to this vulnerability, hackers may have gained access to millions of usernames and passwords. Your login credentials on many websites are most probably compromised. This breach is not the first time hackers have gained access to usernames and passwords. And I’m sure this won’t be the last time.
Usernames and passwords are gatekeepers to your digital identity. When usernames and passwords are compromised, your digital identity is at risk. If your login credentials are misused, it may take years to recover from the damage. Whether it is your personal brand or your business, securing your digital identity is extremely important.
And thus, it brings us to the following important questions:
- As a user, how can you safeguard your usernames and passwords on frequently used websites?
- Is there a way to ensure your usernames and passwords are useless to hackers even if websites are hacked and your credentials leaked?
- How do you add one more level of security and prevent unauthorized access to your email, Facebook, Twitter, LinkedIn, or any other website that defines your digital identity?
The answer is two-step authentication.
Two-step authentication (also known as two-factor authentication or two-step verification)
What is two-step authentication? The first step when you logon to a website is to enter your username and password on the login page. Some websites have added another layer of authentication. In addition to your username and password, websites send a security code via SMS to your phone or show a code generator. If an unauthorized user tries to use your login credentials from an unknown location or browser, a code is sent to your cell phone. Without this code, it is impossible to logon to the website even if an unauthorized user knows your username and password. Using two-step authentication, you can now ensure your login credentials are useless to any unauthorized user.
To summarize, here’s what you do when using two-step authentication:
- Step 1: Enter the username and password.
- Step 2: Enter the code sent to you (via SMS or code generator). Step two is only if you logon from a new browser/location.
Two-step authentication is a very powerful feature. However, in my humble opinion, this feature is hidden to the user and not marketed well.
How to enable two-step authentication?
Let’s see how to enable two-step authentication for frequently used websites. As I mentioned earlier, this feature is hidden deep inside websites. Users need to navigate multiple menus, pages, and workflows to enable two-step authentication. Here are a few examples on how to enable two-step authentication for services like Gmail, Facebook, and LinkedIn.
1) Logon to your Gmail.
2) Go to firstname.lastname@example.org at the top right corner.
3) Click Account.
4) Click Security.
5) Click Setup.
6) Click Start setup.
7) Specify your cell phone number. Click Send code.
8) Enter the code and click Verify.
9) Select Trust this computer. (If this is your personal computer, it may be a good idea to select this option.) Click Next.
10) Click Confirm to turn on Two-step verification.
Before these settings are permanent, you must logoff Gmail and logon again. Now, each time you (or an unauthorized user) tries to logon using your username and password from a different browser or location, Gmail sends a code to your cell phone. Without this code, no one can logon to your Gmail account.
This is what you see when you try to logon to Gmail from a new browser:
Facebook has built an amazing code generator as part of the Facebook App on smartphones. Instead of an SMS, you can choose to use the Facebook Code Generator for Two-step authentication. A unique code is generated every 30 seconds right on your smartphone!
1) Logon to Facebook.
2) Go to Settings.
3) Click Security.
4) Click Edit for Login Approvals.
5) Select Require a security code to access my account from unknown browsers. Click Save Changes.
6) This message is displayed. Click Get Started.
7) Select the kind of phone you use. Select Android, iPhone or iPod Touch. Click Continue.
8) Go to the Facebook app on your iPhone or Android phone. Go to Menu > Code Generator and click Activate. A code is shown on your Facebook app. A new code is shown every 30 seconds.
9) Enter the security code shown on your smartphone into Facebook on the browser. Click Confirm.
You are now protected by the two-step authentication using the Facebook Code Generator. Each time you access your Facebook account from a different browser, you will be asked to enter a code from the Facebook Code Generator on your smartphone in addition to your username and password.
This is what you see when you try to logon to Facebook from a new browser:
1) Logon to LinkedIn.
2) Go to Account and Settings (click Review).
3) Click Account.
4) Click Manage security settings.
5) Click Turn On for Two-step verification for sign-in.
6) Enter your cell phone number. Click Send Code. A code is sent to your cell phone via SMS.
7) Enter the code and click Verify.
Two-step authentication is now turned on for LinkedIn. Each time you access your LinkedIn account from a different browser, a code is sent to your cell phone. You must enter this code in addition to your username and password to logon.
This is what you see when you try to logon to LinkedIn from a new browser:
A final word…
Whether it is a keylogger stealing your password from a public access computer, or a hacker hacking into a secure server, your digital identity is always safer with two-step authentication. Even if your usernames and passwords are compromised, two-step authentication keeps your accounts safe using security codes. Even if an unauthorized user gains access to your username, password, and security code, they are useless for using on another browser. If your usernames and passwords are leaked, they are useless without the updated security code from two-step authentication.
Two-step authentication will not protect servers from hackers. Hackers have stolen over 900 Social Insurance Numbers (SIN) from the Canada Revenue Agency systems. Many online services are planning to update their systems to protect against Heartbleed. For example, BlackBerry plans to release a Heartbleed patch for BBMs. As a user, there is not much you can do to protect your information on government systems or enterprise services since they are out of your control.
However, your online accounts are better protected if you are using two-step authentication. Whether it is the Heartbleed bug, a malware, virus, or an unauthorized intrusion, your usernames and passwords are useless to any unauthorized user. Twitter, WordPress, and many online services now offer two-step authentication.
The security for your digital identity is fragile. So stay safe, stay protected, and secure your digital identity before it’s too late.
[Edited by: Prarthna Sri]