Our Amazon Pick(Link for UK listeners):Google Nexus 7 Tablet PC – 8 GB
Our Amazon Pick(Link for US listeners): Google Nexus 7 8GB Tablet
Recently, Wired Writer Matt Honan had his digital life completely trashed. He had his Amazon account hacked, his Google Account destroyed, his Apple account hacked into just to name a few things. One of the things he could have done to limit the damage was to set up two factor authentication.
When we sign onto different places on the web there are three ways or factors that they use to authenticate us. These are known as “something you know”, “something you have”, ”something you are”.
Something you know would be something such as a username and a password or a pin code. Something you have would be something such as a phone or an RSA token. A lot of banks such as HSBC provide you with a small gadget with a small display that generates a time-sensitive one-time passcode. Google does this with Gmail as well.
Something you are: The way this works is that you would use a part of your body to prove that you are you. A lot of laptops have a built-in finger print scanner where you swipe your finger across it in order to log into your laptop.
We looked at two-factor authentication by using something you know alongside something you have. We did this first with Gmail(Google’s email service). To do this you need the following:
- A Gmail account(which is also your Google account)
- A mobile phone
Open your favourite web browser, Go to the google home page and log in with your Google account. Click on your name and click on Account. Click on security, find two-step verification(another name for two-factor authentication), and click on the Edit button. You will be asked to enter in the phone number you want your code to be sent to. You’re code will be sent to your phone momentarily.
You can then choose to flag the computer as a “trusted” computer. This means that you won’t have to enter in a time-sensitive one-time passcode. If you’re at work or on holiday then leave this setting disabled. Google will also allow you to print off a list of these pass-codes which you can store away in you’re wallet.
For some other applications such as Microsoft Outlook, Gmail, Calendar Sync and many others you will need application specific passwords.
You can also enable two-factor authentication on other servers(such as DropBox and Lastpass) using a smartphone app called google authenticator. To do this here’s what you’ll need:
- A DropBox or a lastpass account (both are free to set up)
- The Google Authenticator app for iOS or Android
- An iPhone or Google Android phone
Starting with dropbox, go to the dropbox home page and sign in. Click on you’re name and click security. At the bottom of the page find the two-step verification setting and click Edit. On your phone launch the Google Authenticator app and hit the plus button at the bottom of the screen. Then tap scan barcode and use your camera to get the barcode inside of the marked area.
Once you have done this, simply type in the code that Google Authenticator gives you and you’re good to go. You will then be given an emergency backup code to use should you lose your phone.
With lastpass it’s a similar process. Log into your account by clicking the LastPass icon in your web browser. Then click on the icon again and click on “my lastpass vault”. Click on settings and choose the security tab. Launch google authenticator on your phone, click the plus button and tap “scan barcode”. Use your camera to scan the barcode.
In the same place find the drop-down menu called “google authenticator authentication”. Click it and select “enabled”. If you’re asked to do so then type in your LastPass master password and click update.
There are other places on the web that use two-factor authentication such as Paypal, Box.net, Yahoo Mail and Amazon Web Services. All of these and others allow you to have a text message with a one-time passcode sent to your phone via text message(SMS). Dreamhost(a web hosting company) also does this using Google Authenticator.
If a hacker does get hold of your password he will still need a time-sensitive one-time passcode from your phone or RSA token in order to enter your account. This code is only good for somewhere between 30 seconds to a minute. After this a new code must be generated. Essentially it’s like burning a log of wood in that you can’t get the wood back and burn it again once you have burnt it. It might be slightly inconvenient but in the end you’re giving up some convenience in return for security.