I recently assisted a client when they were the victim of a phishing attack. While my client was the target of the attack, the victims also her closest friends and family. While the world seems to be coming together to support each other in a global pandemic, we are reminded that malicious people never rest and are always looking to take advantage of the kindness and trust we show to one another. While I won’t go into the details of this attack, I will share information below on how I have implemented the necessary steps to further secure my accounts using two-factor authentication and an authenticator app.
When I was a beginner in my technology classes, I was taught knowing who the user is will be an ever-growing complex problem in the digital age. Any organization/product owner will tell you that balancing security with convenience is a constant consideration. As threats continue to become more sophisticated, we (the average users) are faced with more and more “Verify your identify” scenarios. These days, a password – no matter how many special characters it has – will not be good enough, especially when it comes to phishing attacks.
First off, for those that aren’t aware, a Phishing Attack is typically an email-based attack where a malicious user has sent an email that imitates a genuine organization, but prompts the victim(s) to “verify their account information” by going to a website and logging in or providing an account number. Think of it as a criminal knocking on your door in a homemade Comcast uniform asking for your home Wi-Fi password.
Previously, these attacks were more easily detectable – spelling errors, name or email addresses incorrect, and bad grammar. But they are more sophisticated these days and not so easily detected. Companies have implemented some controls on their side – like notifying you if they detect a login from a new computer. But these are not useful in preventing, only detecting and responding afterwards. If you are a victim of the attack, you’ve now supplied the attacker with your username and password – every complex character. The attack could already be over and the damage done by the time you notice something has happened.
So what can we do?
Two-factor authentication is just what it sounds like – it asks you for two pieces of information to verify you are who you say you are:
- Something you know – like the password.
- Something that only you could provide and changes with every login – like an SMS code. This code is delivered to your cell phone – since it’s a device only you would have.
If these 2 factors match up with the account username, then you are allowed in. Yes, it will require you to have your cell phone with you whenever you login to these websites, but that minor inconvenience will help prevent you from becoming a phishing casualty. There are 2 methods of two-factor authentication I have implemented:
Authy Authenticator Mobile App
There are a few authenticator mobile apps available on the market today, but I have selected Authy. First off, it’s free. And I don’t mean it’s free because of ads, it’s really free to use. I think that’s an important feature if we want more people to start adopting secure practices. Secondly, it’s available on multiple devices. There may be times where I don’t have my personal cell phone and I need access, it’s helpful to be able to access information using a deskop application. Finally, it’s supported on iOS and Android. While I’m an iOS guy today, I may want to be an Android guy in the future.
For some sites, they do not yet support authenticator apps, but they do support 2-factor authentication using a text code. This is a good baseline, as well as a backup plan.
Step 1: Download & Install the App
The Authy App is available on the Google Play and Apple App Store. You will need your store credentials to download the app. After installation, the app will walk you through getting registered, and you’re ready to start using it.
Step 2: Turn on 2-Factor Authentication
You’ll need to do this for each online account. You would be surprised how many already support this, but we haven’t been using it. Authy does a great job of providing step by step instructions on how to enable 2-factor authentication of these major players. I enabled 2-factor authentication for the following accounts in under an hour:
- Google & Gmail
Note: Some of these services provided the Text SMS code as a backup option, but others did not support it and only provided recovery keys. If you receive any recovery keys, print them out and store them somewhere save in case you’re having trouble using the authenticator app.
Want to learn more?
Here’s some more information about multi-factor authentication: