Let's say you've just finished making all your passwords strong and unique. Your password manager reports that you're a security superstar! But don't break your arm patting yourself on the back, because there's still a problem. The whole concept of authentication by password alone is rotten to the core.
You're not the sole protector of your passwords; you share that responsibility with the secure sites you visit. If one of those sites gets hacked, and if the bad guys get your password, you're hosed. They can log in from Elbonia and take over your account, whether your password is 12345 or CEdM@TtYtx7S. Passwords just aren't enough.
Proving that you are you
The problem with using a password for authentication is that it doesn't prove the person logging in is you. All it proves is that the person logging in knows your password. To improve the authentication process we need to add another authentication factor. Experts typically describe three types of authentication factors: Something you know (like a password), something you have, and something you are.
"Something you are" refers to fingerprints, iris scans, facial recognition, and other types of biometric authentication. Some Android devices can unlock using facial recognition (of course, depending on the lighting, or your lipstick, facial recognition might fail, so a backup methods is required). The fingerprint readers found on many modern laptops are more reliable, as is the Touch ID button on the iPhone 5S. Yes, Touch ID has been hacked, but an attacker would need physical control of the device.
The Personal Locker feature in McAfee All Access 2014 goes all out, using both facial recognition and voice recognition to authorise access to your protected storage. A cyber-crook can't fool it with a photo and a voice recording, as the voice recognition component asks you to read a different statement each time.
Authentication in your pocket
Security tokens that generate a time-sensitive code have been around for many, many years. To log in, you enter your password and also enter the code currently displayed on the token. However, many of the banking websites that made these tokens popular are switching to mTANs – mobile transaction authorisation numbers. After you enter your password, the bank texts you a code that you must enter for access to the site.
Yubico's YubiKey is a tiny, tough USB device that generates and transmits a one-time password when touched. Of course, you can only use it on sites and services that have YubiKey support, but the popular LastPass 3.0 Premium is among those that do.
Google Authenticator extends the mTAN concept to protect your Gmail and any other accounts that support it. To log in, you need your password plus a code supplied by Authenticator. LastPass also supports authentication through Google Authenticator; Evernote recently added support.
Any authentication method that requires your physical presence is an improvement over a simple password. Without access to your security token, smartphone, or finger, knowing your password won't do a hacker any good.
Still not perfect
All that said, a determined group of hackers can get around multi-factor authentication. There are variants of the Zeus banking Trojan that can intercept or tamper with a bank's mTAN verification, for example. And if a singular target is really valuable, enough so that the group can allocate plenty of resources, they'll probably succeed, as demonstrated by a recent high-tech heist in France.
The thing is, you don't need perfection to greatly enhance your protection. Two-factor authentication is your insurance so you don't get owned just because JPMorgan Chase was. Hackers go for the easier password-only targets – it's simply more cost-effective for them.
Turn it on
Get started now. Turn on two-factor authentication for your email and for your sensitive websites. More and more websites are joining the trend and making two-factor available to users, so check the site's FAQ to see if you can make use of it, or ask tech support directly.
The chances are good that your bank offers some form of two-factor authentication, whether through a credit-card-sized token, a code sent to your phone, or some other technique. Find out how you can take advantage of it.
Yes, swiping your fingerprint, inserting a YubiKey, or copying an authentication code will make logging in take just a bit longer. But that tiny inconvenience is nothing when weighed against the immense inconvenience involved in losing control of your identity.