Protecting Online Data Using 2-Factor Authentication

504ensicsAbout the author: Vico Marziale, PhD is a Managing Partner of 504ENSICS Labs, specializing  in cutting edge research and development of tools and techniques for digital forensics and computer security.


Maybe you’ve heard something about the National Security Agency spying on Americans, Chinese hackers breaking into, well, just about everywhere, or email phishing campaigns targeted at specific high-value businesses?

If not, you should be aware that people are constantly trying to break in and get access to your (and your client’s) data. While you may not be able to stop the NSA from stealing what they want, there are some simple steps you can take to gain a level of protection from your typical non-government hacker.

One of the easiest and most effective ways to protect online accounts, such as web-based email, is called “2-factor authentication.”

This slightly strange sounding term refers to a pretty simple concept:

Right now, when you log into an email account, for example Gmail, your password is what you use to authenticate – prove you’re you – to the Google’s email server. This is single factor (your password) authentication. The problem here is that hackers are constantly trying to guess or steal that password.  (Yes, having a strong password helps, but not as much as you might think – Google “keylogger.”) Having that password means they have access to all of you online mail.

2-factor authentication means using two methods to authenticate yourself to the email server. Usually the second method makes use of you cell phone. It works like this: the first time you set it up, Google will send a text message to your phone containing a short code that you must also put into to login page. The server then knows that it’s you at the keyboard and allows you access to your mail. As long as you’re using the same computer, it will only periodically (once a month or so) text you a new code to put in the next time you log in.

The effect? Let’s say I stole your password (swear I wouldn’t, but I probably could).

If I now go to my computer and try to log in to your account to snoop on all of your email, Google will notice that I’m trying to log in from a different machine. Since Google doesn’t know who is trying to log in, it sends you a text message with a new code, and requires that code to get in. Since I didn’t get the code sent to me, I’m denied access. Simple, eh?

Now, take a minute and think of all the interesting stuff you have stored in your email account. Also, is this the email account you use for password resets for other online accounts like your banking?

Now, go and set up two-factor authentication.

P.S. Other websites support 2-factor authentication including Facebook, LinkedIn, and Twitter.