Skip to content

OPLIN 4Cast #609: Passwords are not enough. The time for 2FA is now

Posted in 4cast, and Security

A couple of months ago, I got an online subscription to WIRED magazine. As a thank-you gift, I was sent a YubiKey.  When I received it, I really had no idea what it was: it looked much like a flattened USB drive. When I realized that it was a form of hardware two-factor authentication (2FA), I happily proceeded to set up and configure my account. I even ordered myself another one, as a spare I can carry around.

I’m a huge fan of 2FA. It’s turned on for pretty much everything I can do online, where it has been possible to do so. If you’re reading this, and you haven’t done this…well, this is one of those things for which you’ll kick yourself later. Two-factor authentication simply means that, beyond providing login credentials (like a username and password), there’s a second step required to log into a site or service. Ideally, this second step is providing a code from an app like Google Authenticator or activating a hardware 2FA key like my Yubikey.  Some online services still use a SMS message as a second step (I’m looking at you, Paypal!), which is not really a good idea, as you’ll see below.  You don’t have to buy a Yubikey. Keep in mind that you may have to do a little googling to find out how to set 2FA up for each site or service.

  • Password breach teaches Reddit that, yes, phone-based 2FA is that bad [Ars Technica] “A newly disclosed breach that stole password data and private messages is teaching Reddit officials a lesson that security professionals have known for years: two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.”
  • Even many tech-savvy people not using two-factor authentication, finds university [9to5Mac] “What they found was that while these students understood technology, they didn’t understand why they needed to take this cybersecurity precaution. ‘There was a tremendous sense of confidence,’ Camp said. ‘We got a lot of, ‘My password is great. My password is plenty long enough.”
  • Fortnite motivates players to turn on 2FA with a funky new emote [The Next Web] “The Fortnite team today announced it’d be offering a “Boogie Down” emote to those of its consumers who enabled two-factor authentication on their accounts. This creative way of incentivizing security might help motivate some younger fans who don’t yet fully understand how to protect themselves online.”
  • Instagram hacks raise questions about its 2FA security [Mashable] “Instagram lets users secure their accounts with two-factor authentication, but it currently relies on text messages, which aren’t as secure as app-based authentication methods.”

From the Ohio Web Library: