By now, most of the major online tools we use and the most popular sites we log into offer if not require two-factor authentication (2FA). There are several ways a two factor system can be implemented but, essentially, it will always involve using something you know, like a password, plus something you have, like a mobile device to verify twice that you are the account holder authorized to log in.
This extra password authentication can make it nearly impossible for a hacker or cyber criminal to access your accounts. The extra step takes just a few additional seconds – a lot less time than dealing with a hacked account! If a site offers, 2FA, even if it is not required, take advantage of it. Visit twofactorauth.org for a list of companies and websites offering this extra security. From the site, you can also contact major companies still not using 2FA to encourage them to do so.
Two Factor is Not Fool Proof
Social Engineering is Still a Threat even with 2FA
While two factor authentication can make it nearly impossible for someone to access your account, cyber criminals will still try. If users can be tricked into revealing the missing piece required for login, they will often just hand over the keys to unlock banking, social media, or other accounts.
Google was one of the first and most innovative companies to offer 2FA to users. If you have not already enabled 2FA on your Google or Gmail accounts, you should now. Given the popularity of Google tools, if you have not been using 2FA you have probably been hacked and you should change your password then turn on 2FA.
But Google accounts, as a hub for much of our online activity, are also tempting targets for hackers. A social engineering scheme seen in recent months, attempts to trick users into revealing the verification code. If someone can access your Gmail account, for instance; if they somehow know or guess your password, your 2FA will kick in. You would receive a verification code as if you were attempting to log in. Clever hackers are initiating the log in with the password they know and then intercepting the verification code with a tricky message instructing the user to forward that code on to them. Now they have everything they need to log in to your account. You can see in the example shown that the trick is to make you think you are protecting the account.
Never forward or share your 2FA code with someone by text or any other means. This code is for your use only at the time of login. Google (or whatever tool/site you are using) generates and sends the code, they will never ask for it back.
Google has recently made 2FA even easier, bypassing the need to enter the verification code and making it possible to simply touch a button on your mobile device to confirm the validity of the login attempt. You can enable this new, simpler 2FA tool in Google settings (go to Sign in & Security > Signing in to Google > 2-Step Verification). Expect to see other sites adopting this more efficient process as well.
Your Mobile Device Becomes Even More Valuable
If there is a downside to 2FA it is that your phone or mobile device just became more tempting to bad guys. You likely have your email landing on your phone along with apps pointing to your banking, social media, and other accounts. Where you have enacted 2FA, your texts are usually the key to accessing those online accounts. With access to your text, someone could gain access to virtually everything else.