We recently described what passwords are, and how login works. Now it’s time to add another layer of protection for us in the form of two-step verification. Sound threatening? Rest assured everything will be clear soon 😊.
Two Factor Authentication (2FA) verification allows for additional confirmation that you are you.
“But that password isn’t enough? Well no 🤪. If someone has learned your password and you don’t have two-step verification then they have immediate access to your accounts. That is why it is so important. Today, attempts are being made to enforce it (which, as an aside, is a good practice) but unfortunately not all sites provide it.
What 2FA options do we have? Which are good, and which are more or less “safe”?
One of the most popular verifications. We get a code on E-Mail and rewrite it on the site. Is it secure? It is as secure as our E-Mail. If we don’t have a well-secured mailbox and someone else gets access to it then there is nothing left to collect ….
The next classic verification. Most often offered by banks and other more serious sites. The security of such verification, as for me, is quite mixed. Let me give an example. I live in a boarding house with my friends. One of them has a problem with me and wants to play a prank on me by accessing my social network account, writing that I am stupid. He once suspected the password but only needs the code from the phone. Night comes, I’m already asleep and he walks over to my phone and sees the code from the SMS on the locked screen (something that is the default on most phones). Besides, there are options to intercept messages because SMS communication itself is quite obsolete. Also, the card can be cloned …
Prehistory but still possible to meet 😂. It works on the principle of scratch cards. The page pops up telling us to enter code #2 and we scratch it off showing us a number to enter on the page. Yep … I don’t think I need to write about security here 🫣….
Examples include Google or Apple. When logging into an account, you get a notification from the app or system that you are trying to log in. The options here are several: clicking the appropriate number, clicking the “yes it’s me” button, displaying a code to be transcribed. An option certainly better than SMS. Nevertheless, the question remains how long such a notification is active? We wouldn’t want a situation when, by accident, while watching YouTube, a login notification pops up and in the place where the video was supposed to be and we wanted to click it, the unfortunate “yes it’s me” button appeared. Besides, this is as safe a method as our phone is safe. Viruses, attacks, etc.
We used to use RSA. A small USB-sized tool that generated for us a string of digits that we had to enter on the login page. Of course, the codes changed every certain period of time. Today, as far as I know, this is not used too often because the security of such a solution was not too safe, so to speak … As you can probably guess, it was enough to intercept such a device and you could easily read the content to be entered.
Today quite popular solution is similar to the above only that in the application on the phone.This is already a better option due to the fact that applications that store our codes which are renewed often have additional security in the form of biometric scan (fingerprint or face scan).We rewrite the code and log in to the website or application.Here, however, it is still as secure as our device. However, it is important to remember that it can be vulnerable to attacks, viruses, etc.
All the methods described above have a major vulnerability.Our stupidity and gullibility.For example, how are elderly people being scammed in today’s world?One calls an elderly lady from a restricted number and claims to be a bank employee.One asks for all the data, and the lady, due to the fact that she knows nothing about how it works, gives trusting blindly to the nice gentleman on the phone….
Fortunately, the FIDO Key was created. It is a simple device that is our “Personal ID in a digital world”.
The principle is very simple. If there are lines above the y sign, it means you are dealing with a key equipped with NFC (wireless proximity communication) so you can use it to log in on your phone.After entering your password, a notification pops up asking you to insert the key (or apply it if you have NFC on your phone/computer and on the key) and press the yellow circle.And that’s it😍.Such a key is “smart” enough to recognize whether we are on the official site where we registered, or on a site crafted by a scammer.
Even if it pops up asking us to verify ourselves with the key, we have nothing to worry about, the key checks everything for us and if it detects that something is wrong, it won’t let us through any further. An ideal gift for the elderly (and not only).Why?Imagine that a scammer calls, grandma has already given her data but the scammer pops up a notification about the key.The scammer then knows that there is nothing to do in this situation. At most, wait for a package with the key, which is unknown when it will arrive. And the funniest thing is how the scammer is from Russia and tries to explain why grandma should send the key there 😂. When supplying such a key, it is worth buying 2 pieces. One as a spare in case of losing the key and the second one which we always carry with us.
Well known to us from mobile devices.Currently, it is in a way the standard for phone security.A biometric scan (fingerprint, face scan, less frequently: voice verification, eye scan, etc.) is performed for verification.This method is as secure as the device used.Some old-school devices had on a simple principle where it was enough to get, for example, a fingerprint and make a cast.It was not checked whether the finger had living or dead tissue.Another example was the first generations of fingerprint scanners where it was enough to make a small clip on the reader.Verification was done directly on the finger scan reader which was not too good a practice. As of today, biometrics is at a relatively good level.
In summary, two-step verification is our next safeguard. It’s worth checking on the sites you use to see if they have such an option hidden in the settings.If you are not sure, you can check on the Internet by typing “website/application name two-step verification” -> example “Google two-step verification”.If you don’t have it yet, it’s a good idea to enable it.
The question of which 2FA method you choose is left up to you.
Don’t forget to secure your E-Mails this way.After all, having access to your mailboxes, it is always possible for a scammer to pretend that “You forgot your password” in your other accounts 😏.
