Monday, November 23, 2015

Do the Amazon 2-Step... Now!

   It's not a new song or a new dance...  Amazon has just announced 2-step, aka 2-factor or multi-factor, authentication for online logins!  It's overdue but I'm glad it's here.

   We've talked about 2-factor authentication in the past so I won't go deeply into it in this post.  The important take-away is that Amazon now offers this service and you should use it!

   Here's an overview article and here's a great step-by-step with screen shots.  I set this up for my account and it was really easy using my phone and Google Authenticator.  You can also use text messaging, or setup text messaging as a backup method.

   The main reason that 2-factor is good and important is that it prevents an attacker, who has stolen your userid and password, from logging in as you.  This is because they would need to have your smartphone in addition to the userid and password! (yes, there are other methods as well).
   After you login with your userid and password, a site that supports 2-factor will then ask you to enter a numerical code (typically 6 digits) that is either texted to you or you get from an app like Google Authenticator or Microsoft Authenticator.  That code is only valid for a short time period - typically 30-60 seconds - and can only be used once.

   Since the attacker that steals your password probably doesn't have access to your phone, this is a pretty good solution for many situations.

   It's not perfect.  Here are some of the problems with 2-factor:
  • it can slow down the login process by adding an extra step
  • you need to both log in to your phone and a website to get to information - that can be inconvenient
  • with more advanced techniques, attackers can come after your phone
   But, that said, it's the best we have for now, particularly for consumer websites with sensitive content, employee remote access or administrator access to key systems.  Don't forget that 2-factor only protects your userid and password.  There are plenty of other ways for your data to get stolen!

   Let's talk a bit more about employee remote access.  With all the phishing attacks out there, attackers are trying to get employees' userids and passwords.  They can then use these to log in to corporate systems.  Most companies have staff that either have to travel among sites or customer locations, or need to - with appropriate business case and permission of course - work from home.  Most companies offer some kind of remote access to facilitate this.  If the remote access authentication process uses userid and password only, an attacker can use phished credentials to log in as the employee.  That would be bad.  The addition of 2-factor authentication makes this attack much more difficult to pull off because the attacker would also need to compromise whatever method is used for 2-factor.  It's not a perfect solution, but it's very good.

   So read the Gizmodo page and set up your Amazon 2-step!  Also, here are some articles on how to set up 2-factor on other popular sites like Facebook and Paypal.

   Have you use 2-factor before?  Do you like it or do you find it inconvenient?  Do you think it is a good way to protect your personal data?  Would you be in favor of us adding 2-factor auth for remote access at Fairview?

No comments:

Post a Comment