Culture

Use your mobile phone for secure Web sign-ins

Take advantage of two-factor authorization and onetime passwords to sign in to Google and Facebook safely from public PCs or other untrustworthy locations.

Dennis O'Reilly Former CNET contributor

Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.

See full bio

Dennis O'Reilly

May 29, 2011 4:39 p.m. PT

3 min read

In the battle to protect our data, passwords are the first line of defense. Unfortunately, passwords are a pain to manage.

We're told not to use the same passwords over and over, and we're discouraged from using ones that are easy to guess, but the complicated passwords Web sites and IT managers prefer--and often require--are difficult to remember. Many people continue to use passwords that are too simple: Help Net Security's analysis of 32 million breached passwords found that nearly half were trivially easy to guess.

Related links
• Are passwords our best security option?
• Keep your data safe by following the Password Commandments

Password managers built into browsers, and master-password plug-ins such as LastPass and Siber Systems' RoboForm, let you sign in to many networks and Web sites with a single strong password, but the programs require that you store your passwords in a central online repository. Even if the repository is secure, it adds another potential access point for hackers.

(In the CNET Security blog, Lance Whitney describes the recent data breach at LastPass, which appears to have been contained quickly by the company.)

Traditional two-factor authentication systems require a separate hardware token you plug into the PC to activate--as if we didn't already have too many devices to keep track of in our digital lives. Google and Facebook now let you use your mobile phone as an authentication device.

Google's complicated two-step verification
Securing my Google account with the service's two-step verification process took about 30 minutes--and several more than two steps. Open your account settings and click "Using 2-step verification" under Security in your Personal Settings. Choose the "Set up 2-step verification" button in the resulting dialog box to select the method you'll use to receive verification codes.

Google 2-step verification wizard: phone selection — Pick the phone number and method you'll use to receive Google's sign-in verification codes. screenshot by Dennis O'Reilly/CNET

After you verify the phone number you selected, you can choose a backup method. The service will generate a series of backup codes you're instructed to print out and use when the phone you registered isn't available. Once you confirm that you've printed out the backup codes, you're prompted to register a backup phone.

Google 2-step verification wizard: backup phone registration — Register a backup phone number to use to receive Google's verification codes if your primary line is unavailable. screenshot by Dennis O'Reilly/CNET

If you use applications that tie into your Google account but don't support two-step authorization, you're prompted to create passwords specifically for those apps that you'll have to enter only once. After you complete this step, you're asked to review the settings and activate the service, which signs you out of your account on all devices.

Google 2-step verification wizard: activation — Activate Google's two-step authorization after reviewing your settings. Activation signs you out of Google services on all your devices. screenshot by Dennis O'Reilly/CNET

When you sign back in to your account, you're prompted to enter the verification code that was sent to the number you specified, either via text message or a voice call. I received the code via text to my Google Voice number in just a few seconds. You can choose the option to keep the authorization active for the next 30 days.

Google 2-step verification screen — Enter the verification code sent via text or voice to the number you specified to access your Google account the first time you set up the service. screenshot by Dennis O'Reilly/CNET

To review your authorization settings or disable the feature, return to your account settings, click "Using 2-step verification," and make any required changes.

Google 2-step verification settings — Change or disable your two-step authorization settings via these options, which include the ability to clear your phone and backup-code info. screenshot by Dennis O'Reilly/CNET

Facebook's simpler approach to onetime passwords
After jumping through that long succession of hoops to protect my Google account, I found the Facebook approach to secure sign-ins refreshingly straightforward, though it works only in the U.S. Your first option is to text "otp" to 32665 to receive a temporary password on the mobile phone associated with your Facebook account. The password works only once and expires after 20 minutes.

You can also prevent access to your account from unauthorized PCs and devices. Start by opening Account Settings on the Account drop-down menu and choosing Account Security. Check the option under Login Approvals and click Save.

Facebook Account Security settings — Activate sign-in approvals in Facebook via the Account Security options on the main Account Settings page. screenshot by Dennis O'Reilly/CNET

Other Account Security options let you activate secure browsing (https), receive a text or e-mail whenever an unrecognized computer or device tries to access your account, review your recent account activity, and sign out of active accounts remotely.

Limitations of mobile-based two-factor authorization
No data-security technique is 100 percent effective by itself. Using a mobile phone as part of the two-factor authorization process leaves you susceptible to man-in-the-middle attacks, where a bad guy redirects you to a fraudulent site that looks like the real thing and passes your sign-in credentials to the legitimate site.

This information is used to send the real site's authorization code. Once the code is captured, the bad guy has unfettered access to your account. The only way to prevent such an attack is to use up-to-date, real-time malware protection and to scan your system regularly for viruses. Keeping your fingers crossed couldn't hurt--though it will slow down your typing.