Most of our security is provided in the forms of username/password pairs and pin numbers, depending on the resource. For example, our ATM cards are secured by a 4-digit PIN, and most of our on-line accounts are secured by username/password pairs. It’s reasonable and simple security and for most of us, it works fine. However, all too often someone gets to say that “someone found out my password” or “so-and-so knew my password and now has hacked my account” etc. Its an unfortunate shortcoming a single-factor authentication system.
What is an authentication factor?
An authentication “factor” is something you use to gain access to a website or other resource. It can be something you know (a username/password combination, a pin number, a challenge/response sequence), something you have (a key or key-card), or something you are (a photograph, fingerprint, etc). Those are each considered a single “factor” in themselves.
For those of us who have had a security breach of one sort or another, it can be hard to rely on single-factor authentication for our private accounts. For those of us who are more security-minded, we might look to a two-factor authentication method from the start to make sure our accounts are secure from the start.
What is “Two-Factor Authentication”?
Two-factor authentication combines two of the above factors to increase the security of a resource. For example, a security door to a server room may require both a keycard and a pin number. Other two-factor authentication methods involve one-time passwords, or a random number generated by a key fob held by the person.
Yubico offers a simple USB key (a “Yubikey”) that is inserted into a USB port. The Yubikey emulates a USB keyboard so it is cross-platform and cross-browser compatible. It is operated simply by touching it’s button so there’s no pin numbers to enter. The generated one-time passwords are “typed” by the key and checked against the Yubico service. Compatible sites and services include WordPress.org blogs (via plug-in), Drupal sites (via plug-in), the Yubico OpenID service, and LastPass password manager service. There’s likely more sites, as I wasn’t able to find a central listing. Developer services include Web APIs, OAUTH, SAML, and personalization tools. (See the Yubico Developers Intro for information).
Verisign offers a key fob, credit card sized devices, and a mobile application which generate random numbers that have to be entered during the sign-in process. Participating sites include eBay, Paypal, AOL, name.com, Geico, just to name a few.
I personally own one of each, as well as the Aladdin eToken PASS that my employer requires — I find that I use the Yubikey gets much more use, likely due to the fact that I don’t have to key in a pin number. I also appreciate the open-source nature of the plug-in and APIs, which also encourage more sites and services to adopt the device.
I would encourage you to consider any type of two-factor system and give yourself a chance to have an extra layer of peace of mind when accessing your on-line accounts.
One last thought: If you enable one of these security options on an on-line account, it is still possible to access even if you lose the key. The process usually involves telling the service that you’ve lost the fob during the log-in process, then confirming via an email that they send you. It’s not possible for someone to arbitrarily remove the second factor without having access to your email as well. Of course, if you use the same password at every site as most people do, that completely defeats the purpose of having a two-factor system set up. Do yourself a favor and at least use a different password at each site you use.
Have you had an account “hacked” that used just a username and password? Do you use a two-factor system or are you considering one? Please share your thoughts and opinions in the comments below.