Plug The Security Holes In Your Two-Factor Authentication

On Tuesday, Techcrunch writer John Biggs had his phone number stolen by a hacker who gained control of Biggs' T-Mobile SIM card, granting him access to Biggs' phone number used to verify his identity. Biggs correctly employed SMS-based two-factor authentication on his accounts, but forgot to add extra security layers to his wireless carrier account. His attacker proceeded to lock him out of his accounts and attempt to demand ransom in bitcoin.

Image credit: MIKI Yoshihito/Flickr

Biggs was eventually able to recover his accounts and regain control over his phone number, but you can turn his evening of headaches and password resetting into a teachable moment for yourself, and learn how to stop a similar incident from happening to you.

Put a PIN in Your Phone Account

The easiest way to make sure no one can seize control of your phone's wireless account is by adding a security PIN or passcode. It's as simple as calling your phone carrier and asking to enable PIN protection (it's free), or logging into your online account and visiting your security settings.

Ask LH: What Happens If I Use Two-Factor Authentication And Lose My Phone?

Dear Lifehacker, My work wants me to enable two-factor authentication on my phone, but it seems risky. What happens if I lose my phone? Will I lose my entire account? And if I change phones, how do I move the authenticator to a new device?

Read more

This isn't the same PIN you might use to unlock your smartphone, but a number or passcode you'll need to enter or say whenever you're dealing with your carrier. If you're on the line with a customer support representative, you won't be able to make any changes to your account without providing a PIN or passcode. You can set up your PIN by calling your carrier or visiting a retail store with valid identification.

Don't remember the PIN? Carriers will typically let you reset your PIN either over the phone or online, or you could walk into a retail store with valid identification and update your PIN that way. When it comes to the PIN itself, be sure to avoid simple ones like "1234" or a PIN related to your birthday, as these can probably be guessed by hackers snooping around your social media profiles looking for identifiable information.

Use Better Two-Factor Authentication Services

SMS-based authentication, used to verify your identity by texting you a random passcode needed to access your account, is a good start to a more secure digital life, but you'll have to step it up a notch if you want to make sure there are no security holes. As a rule, it should only be used when no other two-factor authentication process is available.

Keep in mind your phone may not be the only device receiving that authentication message, especially if your messages are synced between multiple devices, such as your tablet or computer. They could be sent to other online messaging services such as Google Voice or Skype, services that can be accessed from places besides your smartphone. It's also susceptible, as Briggs discovered, to carrier-based SIM card transfers if the proper security protocols aren't in place.

Google's One Tap Two-Factor Authentication Will Show Info On Who's Logging In

Google's one tap form of two-factor authentication is handy because you don't need to enter a code. However, it offers very little information about who's trying to log in. Now, Google will add location and time info to the login attempt.

Read more

Two-factor authentication apps such as Authy or Google Authenticator are much more secure, and don't involve email addresses or text messages, granting attackers fewer entry points. Setup is a bit more involved than entering a number sent to your phone, and requires you to have your authentication device, whether it's a smartphone or tablet, in hand while you enter the periodically randomised string of numbers.

Employ a Password Manager

Don't think that adding more layers of security means you'll have to remember every new PIN, password or other secret code. While you're setting up additional security checkpoints, enter the information in the password manager of your choice. You can use it to store backup codes, customer support numbers, or a carrier-exclusive email address, ensuring it both stays far from snooping hackers and accessible only to you.

Keep Your One-Time Codes Handy

Setting up two-factor authentication apps such as Google Authenticator usually involves saving a backup passcode in the event your phone is missing or stolen. Google suggests you print them out and store them in a secure location. You can keep them in a folder tucked away in your home somewhere, or inside your password manager for easy access. No matter what, having a backup plan in case your original backup plan goes down is a great method of keeping yourself secure and your identity safe from malicious individuals.


Comments

Be the first to comment on this story!