How much are your private communications worth? How about your reputation? Your bank account? Your identity?
These days, unless you go to extraordinary lengths, nearly every piece of your personal and professional life goes through a cloud service. The risk of having important cloud credentials compromised is too great to rely on protecting them with nothing more than a password.
An attacker who can get access to an important cloud service, especially e-mail, can commit espionage or sabotage, or he can just wreak havoc.
The solution is to turn on two-factor authentication (2FA) for every crucial cloud service you use, especially those that are tied to business accounts.
With 2FA enabled for a cloud service, any attempt to sign in on an unrecognized device requires that you enter a secret code, received as a text message or generated by an authenticator app on your previously registered smartphone. You can choose from multiple authenticator apps, which all follow an open standard for generating time-based one-time passwords.
To begin using 2FA, you have to enable the feature on the service you want to protect. Then you have to associate your account with a trusted device. You can do that by adding a mobile phone number to your account, receiving a one-time password from the service using a text message, and then entering that code at the website to confirm that the device is yours and can be trusted.
For many (but not all) services that offer 2FA, you can also use an authenticator app, which pairs your device (typically a smartphone) with a web service. The setup usually requires scanning a barcode (after signing into your account, of course) or entering a lengthy encryption key.
I prefer using an authenticator app to avoid situations where I have network access but can't receive a text message because of a poor cellular signal. In fact, I have multiple authenticator apps on my smartphone, all neatly organized into their own folder.
With that setup out of the way, here's how 2FA protection works:
Step 1: After you enter your username and password correctly, the web service prompts you for additional proof of your identity.
This screenshot is from Gmail, but other services use similar prompts.
Because you are signing in on a device that has not previously been used with the service, you're required to provide additional proof in the form of a code.
If you're a thief using stolen or phished credentials, you're out of luck at this point, because you have no way of retrieving that code. But you have no such problem establishing that this is a legitimate sign-in. You whip out your smartphone.
Step 2. Receive a 2FA code via text message, or open your smartphone app to view the current code.
Each code is generated based on the shared secret and the current time, and it's only good for a brief interval (usually long enough to account for any normal delay in receiving text messages, but no more than a few minutes). Because you have the trusted device in hand, you are able to respond to the challenge immediately.
Step 3. You're in!
Depending on the service, entering a code might automatically establish the current device as trusted, or you might be given the option to trust the current device. If this is your new computer or tablet (or a new browser), and you have this option you should say yes.
When you're signing in on a device you don't control, you shouldn't allow it on your trusted list. One way to make sure that the device isn't marked as trusted is to use a browser in private mode (aka incognito in Chrome).
If a bad guy manages to steal your credentials for an account that's protected by 2FA, he's unable to do any damage. Because he is signing in on an unrecognized device, he's required to provide a second form of authentication. Without access to your trusted device, he can't authenticate himself and can't go any further.
Yes, 2FA increases the hassle factor slightly. But the inconvenience is minor, especially compared with the amount of time and energy you'll need to expend if you have to recover from a serious hack. And the assurance that your secrets will remain safe even in the event of a password breach is worth a few seconds of extra verification.
In the second part of this series, I'll show how to enable two-factor authentication in some of the most widely used cloud services.