Monday, August 13, 2012

You Should Be Using Authenticators

UPDATE: Dropbox just enabled two-step authentication for its cloud storage service. It's still in beta, but I'd recommend checking it out.

Hi there. Do you have an account with Google? Do you play Warcraft, Starcraft or Diablo? Then this post is for you.

Don't use those services or play those games? Well you should probably read this anyway, because it's going to come up in a few years.

You need to use an authenticator.

What's an authenticator? It's a thing that makes your accounts effectively hack-proof. See, there are three things you can use to log into something:

1. Something you know.

2. Something you have.

3. Something you are.

Most websites just use the first one: if you know your username and your password, you can get into the website. That's fine, except it means that if somebody else knows your username and password, they can get into the site just as easily, and seriously mess you up. If you're in any doubt about that, just read this post from Mat Honan, who watched his entire online life (and most of his hardware) get fried because somebody got ahold of his account information.

Now, you can take steps to prevent this sort of thing: use stronger passwords, use different passwords for every account, make sure you don't release any personal information (like the last four digits of your credit card) that an attacker could use to bluff his way into your account. Those are good things to do no matter what, and I encourage them. But it doesn't change the fact that somebody could figure out what your password is and walk right into your banking information.

What's the solution? You guessed it: an authenticator.

An authenticator is something you have: a physical token that generates a random number every few seconds, in most implementations. After you enter your username and your password, a website will ask you for your authenticator code. You just enter the random number that's currently on your authenticator, and you're in. If somebody doesn't have the authenticator, they can't get into the account. Simple as that. It's called two-factor authentication, and it kicks the pants out of your old username and password combo.

(In case you're curious, something you are refers to biometrics: fingerprints, retina scans, DNA sampling, biopsying your liver for a chemical analysis... stuff like that. It does get used for high-security facilities, but it's not very useful on the web.)

Authenticators used to be pretty limited, but more web services are making them available for their customers. The big two right now are Google and Battle.net, the service that runs all of Blizzard's games.

Can I be blunt? If you're using either service, turn on two-factor authentication right now.

I've been hacked before. It sucks. One thing I don't think I've mentioned before, though, is that my Blizzard account has been broken into. Twice! Jerks wanted to use it to make level one dunces and run around the World of Warcraft shouting "GOLD HERE $20!!1!" That one didn't turn out so bad, because I caught it quickly, I didn't actually play WoW at the time, and I actually got a bit of free play time once I got the account unsuspended. (And I quit again when the time ran out. WoW is a hideous time sink.)

Still, I didn't want to get hacked again. I do enjoy Starcraft quite a bit. So when I saw that Blizzard was offering two-factor authentication through a phone app, I jumped onboard. The app was free, quick to download, and worked just like I described above. And if I hadn't had a phone, I could have bought a physical token direct from Blizzard for only $6.50 that would have worked the same way.

There is no excuse whatsoever not to use one of these tokens.

Now, Google was a different case. My job doesn't permit cell phones in the office, so I assumed setting up two-factor authentication meant I wouldn't be able to check my email, or anything related to my Google account, at work. It didn't seem worth the trade-off, so I chose less security.

But after reading what happened to Mat Honan, I decided to bite the bullet and set up an authenticator. And it turns out those concerns I had were completely unfounded. See, if you don't have your authenticator on you, you can print out a sheet of one-time passwords to keep in your wallet or somewhere else on your person. You get ten at a time, and they all work the same as an authenticator (but only once - after you use one you throw it away). So if you lose your phone, or you don't have it available, you can still get into your account.

You do have to do a little extra work if you use Google Chrome, Outlook, Google Music Manager, or a few other services that aren't web-based. But even factoring those in, it took me less than an hour to set up the authenticator across all my services. And honestly? Compared to what could happen if someone broke into my email account, it's worth it.

I'm also very much hoping that other big Internet companies follow Google's lead soon. A few sites leverage Google's actual service: LastPass, WordPress, a few others I think. But I'd really love to see Amazon and Apple and Microsoft throw their weight behind this idea. Imagine! In a world... where you don't have to worry about having your email, your photos, your videos, your bank accounts compromised?

Good God! Why haven't banks jumped all over this? I mean there are limits to the problems two-factor authentication would solve for a bank; you can't fix corrupt and stupid, but how many accounts get compromised through the web in a month, let alone a year? Bankers: Get on this!

And if you're reading this, and you're using any service that supports two-factor authentication: Turn it on. Do it right now. You'll be doing us both a favor, and helping to make the world a better place. Salud.

No comments: