More websites and business organizations are requiring two-step authentication for access as a way to increase security. Security experts say requiring a second step is highly effective at blocking intrusions, just as adding a deadbolt lock to a door is more likely to deter burglars.
Even though hackers have recently set their sights on large organizations, that doesn’t mean consumers are in the clear. Scammers are still looking for ways to take over people’s online accounts.
If your account is only protected by a username and password, you could be vulnerable, says Dominic Chorafakis, a cybersecurity expert at Akouto. Millions of usernames and passwords have been stolen in massive data breaches so a hacker can easily access the account by purchasing the username and password on the dark web.
The hacker’s task gets more difficult when the consumer is employing two-factor authentication. Chorafakis calls this the “something you know” authentication method.
“Two-factor authentication requires two different types of information to be used by the authentication process, something-you-know and something-you-have,” Chorafakis told ConsumerAffairs. “The something-you-know factor is usually the familiar username and password combination. The something-you-have factor can be many different things, the most common being your mobile phone.”
After entering the username and password, a one-time code is sent via text to the mobile number registered with the account. Even if a hacker has your username and password, they can’t access the account because they don’t have your smartphone. It’s a way to significantly increase security, but it isn’t foolproof.
“Unfortunately, hackers have found ways around this,” Chorafakis said. “One of the most common techniques is to trick people into installing mobile apps disguised as games that are actually malware able to steal login information including one-time-passwords. If you unknowingly install one of these malicious apps and then use your mobile phone to log into a service, hackers can get all the information they need to take over your account.”
Security keys offer more protection
The point is to be very careful and selective about the apps you install on your smartphone, even if they appear to be legitimate. To add an even higher level of security, some people are using hardware security keys instead of their smartphones.
“These are physical USB sticks that plug into your computer and act as the second factor of something-you-have,” Chortafakis said. “You can think of them as physical keys that you need to insert into a lock, in addition to providing your username and password, to gain access to your accounts.”
Many large tech companies have made these hardware keys a routine part of security. Chortafakis says companies that have taken this additional step for their employee logins have virtually eliminated account breaches caused by password theft.