Plug The Security Holes In Your Two-Factor Authentication
On Tuesday, Techcrunch writer John Biggs
had his phone number stolen by a hacker
who gained control of Biggs' T-Mobile SIM card, granting him access to Biggs' phone number used to verify his identity. Biggs correctly employed SMS-based two-factor authentication on his accounts, but forgot to add extra
Biggs was eventually able to recover his accounts and regain control over his phone number, but you can turn his evening of headaches and password resetting into a teachable moment for yourself, and learn how to stop a similar incident from happening to you.
Put a PIN in Your Phone Account
The easiest way to make sure no one can seize control of your phone's wireless account is by adding a security PIN or passcode. It's as simple as calling your phone carrier and asking to enable PIN protection (it's free), or logging into your online account and visiting your security settings.
This isn't the same PIN you might use to unlock your smartphone, but a number or passcode you'll need to enter or say whenever you're dealing with your carrier. If you're on the line with a customer support representative, you won't be able to make any changes to your account without providing a PIN or passcode. You can set up your PIN by calling your carrier or visiting a retail store with valid identification.
Don't remember the PIN? Carriers like AT&T and T-Mobile will let reset your PIN either over the phone or online. Every major carrier will let you walk into a retail store with valid identification and update your PIN that way. When it comes to the PIN itself, be sure to avoid simple ones like "1234" or a PIN related to your birthday, as these can probably be guessed by hackers snooping around your social media profiles looking for identifiable information.
Use Better Two-Factor Authentication Services
SMS-based authentication, used to verify your identity by texting you a random passcode needed to access your account,is a good start to a more secure digital life, but you'll have to step it up a notch if you want to make sure there are no security holes. As a rule, it should only be used when no other two-factor authentication process is available.
Keep in mind your phone may not be the only device receiving that authentication message, especially if your messages are synced between multiple devices, like your tablet or computer. They could be sent to other online messaging services like Google Voice or Skype, services that can be accessed from places besides your smartphone. It's also susceptible, as Briggs discovered, to carrier-based SIM card transfers if the proper security protocols aren't in place.
Two-factor authentication apps like Authy or Google Authenticator are much more secure, and don't involve email addresses or text messages, granting attackers fewer entry points. Setup is a bit more involved than entering a number sent to your phone, and requires you to have your authentication device, whether it's a smartphone or tablet, in hand while you enter the periodically randomized string of numbers.
Employ a Password Manager
Don't think that adding more layers of security means you'll have to remember every new PIN, password, or other secret code. While you're setting up additional security checkpoints, enter the information in the password manager of your choice . You can use it to store backup codes, customer support numbers, or a carrier-exclusive email address, ensuring it both stays far from snooping hackers and accessible only to you.
Keep Your One-Time Codes Handy
Setting up two-factor authentication apps like Google Authenticator usually involves saving a backup passcode in the event your phone is missing or stolen. Google suggests you print them out and store them in a secure location. You can keep them in a folder tucked away in your home somewhere, or inside your password manager for easy access. No matter what, having a backup plan in case your original backup plan goes down is a great method of keeping yourself secure and your identity safe from malicious individuals.