In the battle to protect our data, passwords are the first line of defense. Unfortunately, passwords are a pain to manage.
We're told not to use the same passwords over and over, and we're discouraged from using ones that are easy to guess, but the complicated passwords Web sites and IT managers prefer--and often require--are difficult to remember. Many people continue to use passwords that are too simple: Help Net Security's analysis of 32 million breached passwords found that nearly half were trivially easy to guess.
Password managers built into browsers, and master-password plug-ins such as LastPass and Siber Systems' RoboForm, let you sign in to many networks and Web sites with a single strong password, but the programs require that you store your passwords in a central online repository. Even if the repository is secure, it adds another potential access point for hackers.
(In the, Lance Whitney describes the recent data breach at LastPass, which appears to have been contained quickly by the company.)
Traditional two-factor authentication systems require a separate hardware token you plug into the PC to activate--as if we didn't already have too many devices to keep track of in our digital lives. Google and Facebook now let you use your mobile phone as an authentication device.
Google's complicated two-step verification
Securing my Google account with the service's two-step verification process took about 30 minutes--and several more than two steps. Open your account settings and click "Using 2-step verification" under Security in your Personal Settings. Choose the "Set up 2-step verification" button in the resulting dialog box to select the method you'll use to receive verification codes.
After you verify the phone number you selected, you can choose a backup method. The service will generate a series of backup codes you're instructed to print out and use when the phone you registered isn't available. Once you confirm that you've printed out the backup codes, you're prompted to register a backup phone.
If you use applications that tie into your Google account but don't support two-step authorization, you're prompted to create passwords specifically for those apps that you'll have to enter only once. After you complete this step, you're asked to review the settings and activate the service, which signs you out of your account on all devices.
When you sign back in to your account, you're prompted to enter the verification code that was sent to the number you specified, either via text message or a voice call. I received the code via text to my Google Voice number in just a few seconds. You can choose the option to keep the authorization active for the next 30 days.
To review your authorization settings or disable the feature, return to your account settings, click "Using 2-step verification," and make any required changes.
Facebook's simpler approach to onetime passwords
After jumping through that long succession of hoops to protect my Google account, I found the Facebook approach to secure sign-ins refreshingly straightforward, though it works only in the U.S. Your first option is to text "otp" to 32665 to receive a temporary password on the mobile phone associated with your Facebook account. The password works only once and expires after 20 minutes.
You can also prevent access to your account from unauthorized PCs and devices. Start by opening Account Settings on the Account drop-down menu and choosing Account Security. Check the option under Login Approvals and click Save.
Other Account Security options let you activate secure browsing (https), receive a text or e-mail whenever an unrecognized computer or device tries to access your account, review your recent account activity, and sign out of active accounts remotely.
Limitations of mobile-based two-factor authorization
No data-security technique is 100 percent effective by itself. Using a mobile phone as part of the two-factor authorization process leaves you susceptible to man-in-the-middle attacks, where a bad guy redirects you to a fraudulent site that looks like the real thing and passes your sign-in credentials to the legitimate site.
This information is used to send the real site's authorization code. Once the code is captured, the bad guy has unfettered access to your account. The only way to prevent such an attack is to use up-to-date, real-time malware protection and to scan your system regularly for viruses. Keeping your fingers crossed couldn't hurt--though it will slow down your typing.