If you are here, that means that you are looking to take control of your cybersecurity so that this type of thing is less likely to happen to you. In this installment (number 4) in our series on cybersecurity, you will be able to answer the following questions:
What is authentication?
What is two-factor/multi-factor authentication?
How can I start using two-factor authentication today?
Is there a best way to authenticate?
If you’d like to start at the beginning of our series and work your way up to this, check out our first post on saving your passwords.
Otherwise, we will assume you are ready to dive right into two-factor authentication (2FA).
Have you ever given any thought to how you “authenticate” when you interact with people in the “real world?” When you call someone (or they call you), you don’t immediately begin to speak freely nor do they speak freely with you until you both have “authenticated.” The same is true for when you meet someone in person.
Eye being scanned with a bright light as an example of biometric authentication.
We rely on the sound of someone’s voice or the way they look to authenticate. Though this is not “foolproof”, this is a very strong strategy (see all strategies below) for authentication. Once we have authenticated with someone, we can adjust our communication appropriately for that individual. We recall the things we said when we last met, we know the questions we need to ask them and visa versa.
When we move to online interactions with websites and apps, things are a little different. Any visitor to a website or user of an app can be absolutely any person on the planet. How are these websites or apps to know that you really are who you say you are? Developers of our favorite sites and apps employ one or more of the following 3 strategies...
What are the 3 main strategies for authenticating users online?
With knowledge-based authentication, you will likely be presented with a question to which (hopefully) only you know the answer. This strategy is the most commonly used and often makes use of passwords, PINs, and security questions.
This strategy of authentication involves making sure you own something that you say you own. Often, this will be in the form of proving that you own the email address that you say you do. Have you ever logged in and then been emailed or received a text with a code or a link?
A problem with ownership-based authentication can be that someone may already have access to your email account or phone.
In a way, this strategy is similar to ownership-based authentication. Here users have biological traits that are analyzed and stored as credentials. This includes things like:
These are both hard to fake and hard to lose which make them very strong options for authentication. There are those who feel uncomfortable with the prospect of their biometric data being stored in their phone or in the cloud.
Now that you know about the 3 main strategies used in authentication, we will explore how we can combine strategies to attempt to overcome the limitations of the individual strategies.
What is Two-factor Authentication
As you may have guessed by now, two-factor authentication is simply a process whereby we are asked to provide information from 2 different strategies. This might look like being asked for your username and password (knowledge) and then receiving a SMS/text message with a PIN (ownership). This cross-strategy method greatly improves the security of your account as it is unlikely a criminal will know what you know and have what you have.
Despite the improved security it offers users like us, you should know that using 2FA would make you in the minority. According to The Register, less than 10% of Gmail users make use of the 2FA security feature. It is our hope that by the end of this article, we will have convinced you to join the group of cybersecurity-minded users and enable 2FA on as many accounts and devices as possible.
How Can I Start Using 2-Factor Authentication?
The following advice is subjective. Only you can determine the best place for you to start tightening up your security measures. However we will give you some points to consider and a suggested starting point.
Your email accounts are where you should start. The reason for this is because if a cybercriminal gains access to your email, they are more likely to be able to gain access to your other accounts. Frequently our emails are used to reset passwords. If a criminal has access to your email, just imagine how many of your passwords they might be able to reset.
Our webmail service here at Long Branch Public Schools does not offer 2FA, but we can set our Google accounts up with 2FA. To do this, open a new tab in Chrome and click your user icon in the top right corner. From here choose Manage your Google Account and then Security. Then in the center section, you will see “Signing into Google.” Click on 2-Step authentication. Follow the steps in Google’s documentation.
Once you are done securing your email and work accounts, it would be best to turn your attention to your banking and shopping accounts. Almost all of these types of businesses offer 2FA as a means to secure your account.
Is there a Best Way to Authenticate?
As with most things, it is unwise to say there is one single best way to do something. Below you will find some advice that is commonly accepted. Regardless of which approach you take, awareness is the first and most important step, and you've already taken it.
You may opt to receive text/SMS codes, but you should be aware that these are the least secure option for 2FA. One of my favorite tools is to use a “time-based one-time password” (TOTP) generator. Some popular examples of TOTP generators are Google Authenticator, Microsoft Authenticator, Authy, and now even iOS has it built-in. If you elect to use a TOTP app like those mentioned above, please be sure to enable a backup system in the event that your app or device is lost or stolen. Usually, when you set up the TOTP app, you are given the ability to download/print backup codes that are single-use.
This concludes our series on cybersecurity for now. We hope you feel empowered in improving the security if your accounts (and the data contained within). You have made strong passwords, saved them, avoided phishing, and learned how to use 2 factor authentication. Combine your improved processes and practices with the state-of-the-art hardware and software in use by our district, and we will have bolstered our collective cybersecurity tremendously.
Thank you for reading and we hope you feel free to leave us a comment or reach out anytime!
Meet the Author ...
Hi! I'm Neil, and I've been in education since 2002. My journey with using educational technology really began in 2008. It was at this time, I began to see the potential that technology provided me and my students. Since then, I have moved into administration and I am fortunate enough now to be responsible for supporting staff in their edtech journeys.