A guide to two-factor authentication, the two-part security test for your online accounts and devices

woman using laptop and cell phone at home working
Two-factor authentication, or 2FA, uses multiple tests or devices to keep your accounts secure.

  • Two-factor authentication is a security measure that makes you pass two security tests before gaining access to your account or device.
  • As hackers and hacking systems become more advanced, experts say passwords alone are not enough to keep your data secure.
  • Many apps and websites give users the option to use two-factor authentication, but it’s also something users can set up for themselves.
  • Visit Insider’s Tech Reference library for more stories.

You can never be too careful with your information online.

Hackers are becoming more sophisticated, and while developers continually come up with new methods to make sites and devices more secure, hackers can still find ways around them. As a result, a password alone may not be enough to protect your important accounts from cybercriminals.

Lately, more businesses and services have been adding two-factor authentication as an optional feature for their online logins. Certain industries require two-factor authentication as a security practice, and most internet security experts would tell you that adding two-factor authentication is not only a good idea but an increasingly necessary step for ensuring your online security.

What to know about two-factor authentication

Two-factor authentication, also referred to as 2FA or two-step verification, is a method of confirming your identity by asking you to pass two security tests. It’s a way for a site or a system to ensure that it’s really you logging in and not a sophisticated robot or a hacker.

After you enter your password, you’ll be asked to pass a second test, which will vary depending on the site you’re using.

2FA forces hackers to come up with solutions to two unique problems, rather than one. It’s also constantly evolving because hackers seem to eventually come up with solutions to said problems. One early form of 2FA was the security question, but years of predictable questions and answers left that method vulnerable to hackers.

Types of two-factor authentication

Things have gotten more complex since the days of the security question – hackers and robots have gotten more advanced, so security challenges have, too. There are now five common types of 2FA.

Text or voice-based 2FA

This type of two-factor authentication will usually prompt you to enter your phone number and choose whether you would like to receive a text message or a phone call to have your identity verified.

If you’re logging in to a multi-use account, once you have done this once, your preferences will usually be remembered for next time, with your permission.

If you choose a phone call, an automated system will call your number and ask you to verbally confirm that you are logging in.

If you choose text, you will most likely be sent a text message with a link that will automatically log you in and redirect to the site or app’s landing page. However, some older forms of this feature may simply send you a text asking you to send a reply text confirming that you logged in.

It’s important to note that, even if you know a site utilizes this form of authentication, they will never ask you for information like your username or password over SMS or a voice call. If you are ever asked for this info, you should block the number immediately – this is a common phishing scam.

Additionally, if a site you use has an option to set up this feature and you haven’t done so yet, you should do it as soon as possible, or set up some form of 2FA for that account immediately. If you don’t, a hacker who was able to get in using only your password might be able to set it up with their own number.

Hardware tokens

Hardware tokens are the oldest form of 2FA out there and they are relatively uncommon today, mostly because they’re expensive, easy to lose, and are, while still incredibly secure, not entirely invulnerable to hacking.

A hardware token is a device that generates a new, randomized code every 30 seconds. When you want to log into the associated account, you simply look at the device and enter the code displayed on it. With newer versions, you plug the device into your USB port and it enters the code for you.

Other tokens seek to authenticate your identity, but hardware tokens sidestep that issue entirely, operating under the assumption that whoever has it is already qualified to get into the system.

Software tokens

These tokens combine the best factors of SMS and hardware-based 2FA, while eliminating some significant issues each of the other methods face.

Software tokens work exactly like hardware tokens, as described above, but rather than using a physical device to generate a password, they’re an application that you install to generate a password automatically.

These tokens are sometimes attached to specific websites; CAPTCHA is one method employed by many sites in order to confuse robot password hackers with a visual question. However, you can also download and set up your own software token application – they’re an excellent and reliable way to stay secure online, and they work whether you’re using a desktop computer, a smartwatch, or anything in between.

Push notifications

When you’re logging into a website, chances are you’re using what’s called a secure connection. Basically, this means that, during the time your device and the site are communicating, the site is masking all of the communications involved to make them difficult for hackers to penetrate.

Push-notification 2FA merely takes advantage of this secure connection while you’re using it. Essentially, when you log in, it sends a signal to the server to send a push notification with a unique one-time code that completes your login.

This is basically an improved form of the SMS-based 2FA outlined earlier – the difference is that this one eliminates opportunities for phishing scams to take advantage of unsuspecting users, and, more importantly, stops man-in-the-middle attackers from intercepting login links.

The only drawback to this method is that it doesn’t work very well in areas with spotty internet service.

Biometrics

There’s an even more secure way to confirm your identity than any of these 2FA methods though, and people have been using it since even before there were computers – we just didn’t figure out how to implement it digitally until recently.

Once used as a sci-fi trope and associated with top-secret access, fingerprint scanners can be found on a number of devices people use every day, like phones and laptops. Other forms of biometric identification – methods of confirming your identity using factors unique to your biology – are also on the rise, most notably facial recognition.

Some organizations, especially apps on your phone that deal with money, like PayPal or whatever virtual banking app you may use, already use two-factor authentication, in a sense. If you have a phone that allows for fingerprint or facial recognition, these apps work with its software to allow you to store your username and password in your device, and have the device fill it in for you as long as it recognizes you.

Currently, the only issues with this technology are that not all devices have a fingerprint scanner or facial-recognition technology, and facial recognition is relatively in its infancy.

Why two-factor authentication is important

Two-factor authentication has become an increasingly important security measure as hackers and hacking systems have become more sophisticated over time. In fact, advanced hackers can easily use one unlocked account to unlock dozens, if not hundreds, of others.

These days, hackers aren’t just sitting at the computer typing away, hoping and guessing at random numbers and letters. They have algorithmic programs that test hundreds of common patterns and combinations in seconds. If your specific username or password hasn’t been guessed by these machines already, it’s most likely sheer luck. Once one password has been guessed, chances are they’ll be able to use that combo to hack into other common sites as well.

Related Article Module: What is cybersecurity? A guide to the methods used to protect computer systems and data

Even if you’re taking all the proper precautions and using the smartest, most obscure usernames and passwords you can think of, making them unique every time, you’re still vulnerable. You’re just a little less vulnerable than other people with simpler ones – and even then, you’re making way more work for yourself than you need to.

Human memory is faulty, and the more we get comfortable online, the more passwords we’ll have to create and remember to stay secure. Setting up two-factor authentication frees you from that burden, while still giving you the peace of mind of knowing you’re much more secure against cyberattacks.

How to enable two-factor authentication

If you’re not looking to buy a hardware token or download and install a separate software token in order to protect your accounts, there’s still good news for you. Most major websites, apps, and devices already have 2FA capability that you have the option to set up with your account.

Here’s a brief list of guides on how to set up two-factor authentication on some of the most popular sites, apps, and devices:

What is a computer worm? Here’s how to protect yourself from the replicating malwareWhat is spyware? 5 ways to protect your computer from being infectedWhat is a computer virus? Here’s how to spot signs of viruses and avoid themWhat is malware? Everything you need to know about malicious software and viruses, and how to protect your computer

Advertisement

Read the original article on Business Insider

Is Dropbox secure? Here’s how Dropbox has improved its security measures, and what you can do to protect yourself

Dropbox app
Dropbox is a cloud storage and file hosting system that has previously received backlash over security concerns.

  • Dropbox is secure thanks in part to its 256-bit AES encryption, but the service has been hacked in the past.
  • Because Dropbox is relatively secure, the largest vulnerabilities are often the end users and their security hygiene. 
  • To be safe, you should enable two-factor authentication, be wary of public folder sharing, and consider using file-level encryption.
  • Visit Insider’s Tech Reference library for more stories.

Dropbox is one of the most popular cloud storage solutions in the world, supporting more than 14 million paying customers as of December 2019. Like most online services that have a long history dating back to the early days of the web, Dropbox’s past includes hacks and data breaches. 

The most infamous incident included the theft of more than 68 million account credentials in 2012 (hackers tried to sell this data in 2016), and the hack led to the company resetting passwords for millions of accounts in 2016. 

How Dropbox has increased its security level

In the years since, Dropbox has shored up its security substantially. Today the service’s 256-bit AES encryption and support for additional security tools like two-factor authentication is competitive.

Is Dropbox secure 1
Dropbox’s security is bolstered by 256-bit AES encryption.

The service authenticates all user connections to the server, whether it’s via a web browser or mobile app, and Dropbox uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to protect data as it moves between Dropbox’s users and the servers.

Moreover, Dropbox routinely tests its own hardware, software and processes for security vulnerabilities, and makes sure to alert users if Dropbox detects an attempted login from a new device or location. There have been no known large-scale hacks on Dropbox since 2012.  

How Dropbox may be vulnerable

“Their current encryption standards make the odds of a hack less likely, but no cloud-based solution is completely safe from new and emerging threats,” said Kristen Bolig, founder of SecurityNerd. 

Aside from the risk of an attack on Dropbox itself, one of the most dangerous vulnerabilities is on the user end of the Dropbox experience. Users – especially corporate customers – routinely face phishing attacks and social engineering attacks designed to trick people into giving up credentials and access to accounts. 

And not all security concerns originate with hackers and criminals. Dropbox’s user base crosses international boundaries, and Dropbox may opt to share user data with government agencies and law enforcement from time to time – the service has formal guidelines that dictate its behavior based on official requests. 

How to protect yourself as a Dropbox user

All that means your risk of a data breach with Dropbox is low, but not zero, and there are steps you can take to ensure your own security. 

Chris Hauk, consumer privacy advocate with Pixel Privacy, recommended enabling Dropbox’s two-factor authentication. “This ensures that if a third-party attempts to log into your Dropbox account, you will be notified via email or text message.” 

Is Dropbox secure 2
Two-factor authentication is an easy step you can take to ensure Dropbox remains secure.

Simple human error is also a risk – Dropbox allows users to store files in easily exposed public folders, for example, so it’s important to be careful about where files are placed. 

And for the ultimate in security, both from accidental public folder disclosures as well as hacks, security experts like Security.org’s Chief Editor Gabe Turner suggest using file-level encryption on important files stored on Dropbox. You can encrypt and password-protect documents created in Microsoft Office, for example, or with a third-party app. 

This eliminates the risk of Dropbox itself accessing your files with the company’s own encryption key or handing your information to government authorities. 

‘What is Dropbox?’: How to use the cloud-based file-storage service for collaborationHow to upload files to your Dropbox account from a computer or mobile deviceHow to create a folder in Dropbox to keep your files organized on a computer or mobile deviceHow to uninstall Dropbox on a Mac computer in 4 easy steps

Read the original article on Business Insider