Tech Column: That 2-Step Verification Thing

by Bill Adler

What is it about the ATM PIN that's made it survive all these decades? Why haven't banks, so obsessed with security, replaced the PIN security system with something better? (And it's a 4-digit PIN at that!)

The reason is that the PIN-system is very secure: To get cash out of your account from an ATM, you need both something you know, your PIN, and something you have, your ATM card. Neither alone will do the job.

That's the theory behind two-step verification on the Internet: Your password (your PIN) alone won't get you access to your email or other online services. You need something else, and that something else is your smartphone, or a set of pre-printed codes, or your home telephone. These are all things that a hacker doesn't have.

Once you have turned on two-step verification (also called two-factor authentication), to access an account online you need your regular password, plus a one-time code that's generated by a smartphone app, sent to you as a text message, or read to you by a robot over the phone. You only need to do this once each time you are using a new computer.

Google, Lastpass, Dropbox, Facebook and other services offer two-step verification. My advice: Turn it on. If you need any convincing, listen to the words of Mat Honan, a writer for Wired Magazine:

"In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

"In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it's possible that none of this would have happened."

There's a small learning curve involved with setting up and using two-step verification. Each service that offers two-step verification has a slightly different twist to how it's deployed.

* To set up two-step verification with Gmail start here: http://bit.ly/RsSs4c.

* For Dropbox visit https://www.dropbox.com/help/363/en. 

* For Facebook click here: http://on.fb.me/VRMmyQ.

* PayPal has it, too: http://bit.ly/S9FypR.

* You can read about Yahoo's two-step verification here: http://yhoo.it/TSFAq8.

One of the cool things about two-step verification is that many services use the same app by Google, Google Authenticator, to generate one-time random codes, including Gmail, Lastpass, Dropbox, Wordpress, and Amazon Web Services. (This is not the same as having the same password for each of these account; rather, they all use the same open-source application to create the second key.) The code that's generated expires in 30 seconds so it can't be used by anyone else. 

This article gives a good step-by-step set of directions on setting up two-step verification with Gmail: http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html.

How does two-step verification work in practice? When you want to log on to Gmail from a new computer, enter in your username and password, just as you normally would. You'll see a second prompt to enter in your verification code.  To get that code open your smartphone app, or pull out a one-time-use pre-printed code from your wallet, or wait for a text or call and enter in that code.

If your smartphone is stolen you'll probably know it quickly, but even still, without your password your phone alone won't grant the hacker access to your account, just as losing your bank card won't make it automatically possible to access your account through an ATM.

Sometimes you will find two-step verification an annoyance, but so is locking your car or apartment door.

Right about now you're possibly thinking, "Nah, this won't happen to me." All I can say is 1) If it happened to a very tech savvy guy, it could happen to you; 2) Every single week two or three Cleveland Park Listserv members' accounts are hijacked. We know because we see the resulting mess; 3) As you think about items #1 and #2, ask yourself how you'd feel if somebody read or deleted all of your email, files, or Facebook data.

Now what? If don't use turn on two-step verification, then one day you may be very sad. So turn it on. Two-step verification is the single best thing you can do --you should do-- to keep your accounts secure.

---

Bill Adler is the co-publisher of the Cleveland Park Listserv, www.cleveland-park.com. He is the author of "Boys and Their Toys: Understanding Men by Understanding Their Relationship with Gadgets," http://amzn.to/rspOft. He tweets at @billadler.