Improve your password security through two-factor authentication: Internet Scambusters #637
If you're not a techie, password security though "two-factor authentication" may sound as if it's beyond your skills.
But it's not. In most cases, it's straightforward thanks to step-by-step instructions from many providers.
In this week's issue, we'll explain the process and tell you where to get more easy-to-follow information.
Now, here we go...
How to Easily Enhance Your Password Security
What if there were a way to stay safe from scammers and crooks even if they steal your username and password?
Well, there is, at least for some of the key programs you use. All it requires is one simple extra safety step when you set up an online account, as long as the account provider will allow you to take it.
It comes with the technical sounding name of "two-factor authentication," or multi-factor authentication. You may also hear it called two-step verification (which is what Google calls it).
But it's not technical at all.
As its name suggests, it's about requiring more than one way, more than just your password, to prove you are who you say you are -- to authenticate you as the genuine user.
It's been around for a while and comes in a number of guises.
Secret questions that you may have to answer in addition to providing your password, especially with online bank accounts these days, are the simplest example.
But they can be subject to potential weaknesses since crooks often know either how to guess the answer or where to find it.
In more sophisticated systems, some computers, particularly laptops, and more recently, tablets and smartphones, have the ability to check a fingerprint, a form of what is known as "biometric" security.
So, even if someone has your password, they won't have your fingerprint and won't be able to pass themselves off as you if they steal your device.
In other cases, you can get a USB stick that carries a unique code identifying you for unlocking a password manager, for instance.
That means you can use it on all manner of machines to access programs and accounts that use it -- rather than just confining it to a single machine like the fingerprint reader.
But even that has a drawback. You've got to remember to carry it with you and make sure you don't lose it.
So now, two-factor authentication is being simplified in hopes it will move into the mainstream of computer and password security.
When you set up accounts with many major email and web service providers, they may offer you the opportunity to get a unique one-off code number when you sign in.
So, after you enter your username and password, you'll be asked for the code number as well. But no one else will know it because it's generated precisely at the moment you need it.
And after you've used it once, it's useless, gone forever.
But how do you get that code just when you need it?
Simple. It's provided on your phone.
If you have a smart phone, you might have an app that generates it for you. Google Authenticator is perhaps the best known but there are others
Alternatively, the number can be instantly sent to you by SMS text or even phoned to you via an automated voice system.
However it arrives, you simply key it in after your password.
And how do you set up the code delivery for each account that uses two-factor authentication?
That's simple too. When you set up the account, the provider will tell you what to do.
For example, if you have an authenticator app, the account provider may show a barcode on your PC screen that you have to scan with the app. It links that specific smartphone and authenticator app with your account.
Alternatively, you may choose to have the code texted or phoned to you.
The provider will also initially give you another security code that you can print out or store securely and use to switch off or reset two-factor authentication if you ever lose your phone.
So, here's a word of warning: If you lose your phone and also your separately stored recovery code, you may not be able to access your account again -- ever. So look after that recovery code.
You likely will also have a choice of whether you need to use the two-factor system every time you sign in to your account, or at regular intervals, or just once on your home PC.
This extra-strength password security system is already available with many programs and websites right now, so it's not just an offer to users when they sign up for an account.
You can usually convert your single-factor (password) security to multi-factor by signing in to your account -- Google, Microsoft and Apple for example -- and accessing the security settings.
If you don't know how to do this, simply Google it. For example, searching on "Apple two step verification" will take you straight to an explanatory page.
If you'd like to learn a little more about two-factor authentication, you might check out this explanation from our good friend Leo Notenboom on his "Ask Leo" site.
In the coming months and years, we're likely to see more and more organizations offering this advanced level of Internet security.
As companies increasingly face hack attacks and theft of customer account details, you should use every opportunity you get to use two-factor authentication for your password security.
Alert of the week
Watch out for a new phone scam purporting to come from Google.
The caller says your PC has been compromised and is being used to send out obscene and illicit information, but for $99 they'll put it right.
Not true, of course, and one of many phone scams using the Google name as a platform to trick you.
The fact is that Google doesn't make calls, either to tell you what's on your computer or to sell you anything (other than, perhaps, if you own a business, its advertising program, AdWords).
That's all for today -- we'll see you next week.