When we refer to login credentials we mean your user name and password. Online accounts require login credentials. Devices usually require credentials but they might be optional. It seems like everyone wants you to create an account, so it’s helpful to think in terms of high-risk accounts and low-risk accounts. High-risk accounts are the kind which, if accessed by a bad guy, could easily lead to having your money or identity stolen.
Email and social media accounts can also be used by scammers who want to impersonate you in order to scam others. Low-risk accounts are everything else – news or sports websites, for example.
How Passwords Are Stolen
Understanding how bad guys obtain passwords will explain why basic password hygiene is so important.
Sadly, no matter how good your password is, there is always a risk that your account can be compromised. You might have your password stolen by a clever phishing attack. A hacker might convince a customer service rep to reset your password and direct the reset email to the hacker.
You should read the well-known case where a Wired reporter had his credentials stolen by hackers who tricked Apple’s customer service representatives, resulting in the reporter’s laptop and phone being wiped clean (all those photos gone!), email account deleted, and twitter account taken over, where terrible messages were sent out under the writer’s name. Dual-Factor Authentication (DFA) would have stopped this.
Some websites have begun to require it, but it is still optional for many. All of your high-risk websites should have dual-factor authentication turned on.
What is Dual-Factor Authentication
Dual-Factor Authentication (sometimes called Two-Factor or Multi-Factor Authentication) refers to account security where you cannot get in without two of the following:
Your username and password are two things you know, which means that if someone else knows those two things, they can access your accounts. Username and password are not Dual-Factor Authentication.
An ATM Card and PIN are something you have (the card) and something you know (the PIN), so it is Dual-Factor. If your card is stolen, the thief can’t use it without the PIN. If someone learns your PIN, it’s useless without the card.
Something you are refers to biometrics, which is a method of authentication using unique information about our bodies like a fingerprint, retinal scan, or facial recognition. Requiring both a password (know) and a thumbprint (are) would be Dual-Factor Authentication.
Websites have implemented Dual-Factor Authentication a few different ways. The most common is to ask for your mobile phone number, and when you want to log in a code (usually 6 digits) is texted to you. You are then asked to type in the code. This way, you must log in using your credentials (something you know), but anyone without your mobile phone (something you have) won’t be able to get the code. Some websites give you the option of emailing you the code or calling you with it.
Some websites allow you to designate your computer a “trusted” computer, which means that it doesn’t ask you for the second factor every time you log in from that computer. In a way, you are designating that computer or device as something you have, so it becomes the second factor. If a hacker with your credentials can get access that computer they could still access your accounts, but they cannot if they’re sitting halfway around the world.
While the Dual-Factor Authentication method above is vastly better than not using it at all, there is an even more secure way to implement DFA. This is because clever hackers have actually figured out how to replicate your mobile phone by tricking your phone company into providing them with your SIM card (the tiny chip that identifies your phone). If a hacker manages to change your phone number for your account, they can also intercept the second factor.
Thus, a more secure technique is to install an Authenticator App. The most popular Authenticator Apps right now are Google Authenticator and Authy. Some password managers like 1Password and LastPass also have Authenticator Apps built in.
To use an Authenticator App, you install the app on your phone and, when you turn on DFA on a website, the website will show a QR Code (that square weird-looking bar code). You use your phone’s camera to read the code, and the App sets up a new authenticator for that website. The authenticator then generates a new 6-digit code every 30 seconds.
Now, rather than the website texting you the code, you just open up your authenticator app and type the 6-digit code it shows into the website Because the authenticator is synced with the website for your account, the website accepts the 6-digit code.
Now, the only way a bad guy can get into your account, even if he steals your credentials, is with your specific Authenticator App on your phone synced to your account.
The latest in DFA is authenticator dongles (also called keys or tokens). This is basically a small USB device that you plug into your computer to authenticate yourself. The dongle is something you have.
It's a lot, I know
So there you have it, excruciating detail on password protection. If I missed anything, or you disagree with anything here, please feel free to post in the comments.
If this sees overwhelming and you want to make things easier for yourself. Follow the Weekly Privacy Prompt. There we will gradually walk you through everything you need to know to protect yourself.
Ryan Kriger is an Assistant Attorney General for the State of Vermont. He writes on privacy and data security and teaches about privacy, consumer protection and policy at the University of Vermont.