Passwords and security (part three)

I’ve got nothing against country dancing.

Over the past couple of months, I looked at why it’s important to use a different password on every website and why a long one is better than a short one. I’ve also mentioned the importance of keeping contact information up to date, to make it easier to reset passwords when something goes wrong.

Now let’s look at an example of why this is a good idea, with a true story. There’s a chap in Canada with almost the same name as me, who regularly forgets to include his middle initial in his Gmail address when he signs up for things on the internet. I could tell you the gym he uses, his car and when it needs servicing, and the fact that he goes country dancing regularly. I know this because he’s signed me up for all their mailing lists.

For most of them, clicking unsubscribe has done the trick but the country dancing mailing list has been a tougher challenge. Despite the fact that the Gmail account in question has my address, my credit card details and my date of birth (and has done for more than ten years) they’ve refused to remove me from the list “because I’m somehow accessing his email”.

The other night I was sitting in front of the TV when my phone pinged with a message from Google: “Is it you trying to change your password from Pleasantville, Canada?” Tap ‘No’ and back to a gripping Scandi detective drama.

Ping. “Is it you trying to change your password from Pleasantville, Canada?” Tap ‘No’ and back to…

Is it you trying to change your password from Pleasantville, Canada?” Tap ‘No’ and go to make a cup of tea.

And that is a perfect example of why it’s important to keep contact details up to date, and it’s a perfect example of something very simple with a grandiose geek name: dual-factor authentication, sometimes abbreviated to 2FA.

Put simply, 2FA adds an extra hurdle for someone trying (legitimately or otherwise) to access your account. Something you know – like a password or your mother’s maiden name – can sadly be stolen quite easily in this day and age, particularly if you use the same password in different places. So 2FA adds something you have or something you are, like a phone or a tablet or a fingerprint.

It can be as simple as the example above: log in from a new device and the website sends a message with either a number to type in or a button to press to confirm that whoever is trying to login not only knows your password but has your phone. This is something you’ll already be experiencing more often when shopping, as banks are already using ‘Secure Customer Authentication’ to confirm that purchases are genuine.

On the one hand, this is another obstacle to doing what you want to do quickly and easily. On the other hand so are seatbelts, and the millions of people worldwide who wouldn’t otherwise still be here probably don’t regret losing two seconds every time they set off on a journey.

At the moment only about 5 per cent of online account holders have enabled 2FA but a recent statistic released by Microsoft might show why it’s a good idea: of the over one million Microsoft accounts hacked last year, 99.6% weren’t using 2FA. So out of a million people, statistically 50,000 ought to have been hacked but, presumably because of 2FA, only 4,000 of them were.

For most people, setting up 2FA is as simple as giving the service you’re logging on to your mobile phone number (it tends to be a mobile number because they can’t text a code to a landline). It’s also possible to install an app on a phone to generate a code to prove you’re genuine even if you’re logging on from a place with poor mobile signal (like, oh, I don’t know, Heacham). I use the Google Authenticator app but others are available.

This entry was posted in Security. Bookmark the permalink. Both comments and trackbacks are currently closed.