Earlier this month, Evernote, a very handy web application, was hacked, forcing them to have all their users reset their passwords. This is far from the first time I’ve found myself in this situation. Currently, I have about eighty sites that have passwords. Managing them can be challenging. Some sites, like GMail, are holding fairly critical data for me, so reducing the risk is important.
Fortunately, two-factor authentication is becoming more common. The notion is that, to access an account, you’d need two things: something you know, and something you have. You use this at an ATM machine: you swipe your card (something you have), then type in your PIN (something you know).
For enterprise environments, RSA makes a key fob that generates numbers based on an algorithm. The server knows how the algorithm is seeded for each key, so it “knows” what number is displayed at a given moment. To get into a system that uses it, you need to type the number on the fob (something you have), along with a PIN that only you know (something you know). However, getting consumers using free cloud services to buy RSA fobs seems unlikely.
Fortunately, most of us have something we have that can serve a similar function: a cell phone. More and more web services are offering two-factor authentication by sending a text message. Type in a number from the text message along with a password achieves a similar level of security. This could be used for access to your site from unauthorized computers (such as a shared computer at the library), validate password resets, or other critical security activities. The advantage is that, even if your password is stolen, the thief would not be able to use it to gain access to your data, as they would also need your phone to validate the request.
Many common sites have started to offer some level of two-factor authentication:
- Apple ID, such as iTunes, iCloud, etc.
- Google Account, including GMail
- Microsoft Account, including their mail productions (Hotmail, Live Mail, and Outlook.com), SkyDrive, and XBox Live
- Yahoo! Mail
Links go to instructions for setting it up.
I would not be surprised if other sites start to roll it out as well. I would encourage you to start to enable it on sites you use that offer it. It may save your data!