Lorrie Cranor knows a thing or two about the importance of two-factor authentication (2FA). Cranor is a Carnegie Mellon professor who specializes in passwords and security. She's also the former chief technologist of the Federal Trade Commission. Oh, and she's the victim of a mobile phone hijacking plot against her family — one she's confident 2FA could have prevented.
Cranor's experience is enough to make anyone shudder: In the summer of 2016, someone walked into a carrier store and identified herself as "Lorrie Cranor." The crook provided a fake ID and said she wanted to upgrade to a new iPhone. She walked out of the store with two shiny new devices — connected to Cranor's family numbers — and a bill left behind in Cranor's family name.
[ Find out if your data and passwords are being sold on the dark web.. | Get the latest from CSO by signing up for our newsletters. ]
"In that scenario, the carrier should have texted the phone, and it would have solved the problem," Cranor says. "The thief didn't have the old phone. It was in my hand."
To this day, 2FA is still hit and miss at the major U.S. mobile carriers. The resulting weakness in security should serve as an eye-opener for any company whose employee data is protected by a single password.
What is 2FA?
2FA adds an extra layer of protection to the authentication process. It requires users to provide a second piece of identifying informtion in addition to a password. Examples of 2FA include answering a question like "What was your high school mascot?" or entering a verification code received via text message.
Why use 2FA?
The notion of 2FA as a best security practice is no longer even remotely new. Google brought the advanced form of online security into the mainstream conscience with the launch of multilayered protection for enterprise customers in 2010 and then for all Google users in 2011. Facebook followed soon after. Yet, according to a recent report by the Pew Research Center, only 10 percent of American adults can correctly identify a two-factor-enabled login screen from a set of four choices.
Another report, from Duo Labs, estimates a measly 28 percent of Americans actually use 2FA on a regular basis. More than half of those surveyed by the firm had never even heard of it.
That, to put it mildly, is troubling. "People should all be looking at 2FA, even for minor things — if they're just buying toothpaste at a shopping site," says Patrick Wardrop, chief product architect of IBM's Identity and Access Management division.
Wardrop notes that strong 2FA could have prevented nearly all of the internet's recent high-profile password breaches, but he's quick to point out that all forms of authentication are not created equal. Systems that use either an app-generated code or a physical security key are the strongest, he says, while SMS-based methods — though certainly better than nothing — are disturbingly easy to defeat.
"The weakest link with SMS is the telco phone rep," Wardrop says, referencing the relative ease with which people have been able to hijack phone numbers and intercept incoming messages. "You're putting your Twitter account, your bank account in their hands, which I certainly wouldn't do."
The U.S. National Institute of Standards and Technology (NIST) agrees. The federal agency revised its guidelines last year to warn companies of the flaws associated with SMS-based authentication and to push for the use of stronger alternatives, such as the aforementioned codes and keys. Yet many online services, including the frequently targeted Twitter, provide no way to use two-factor authentication without involving SMS.
That leaves security experts like Wardrop baffled, because whether you're Twitter or a tiny IT shop in Toledo, implementing effective 2FA is now easy, affordable, and with minimal inconvenience to end-users. The real question, he suggests, isn't why a company should use proper authentication to secure its data; it's why any company wouldn't embrace that heightened level of protection. "These strong authentication capabilities are right in your pocket," Wardrop says. "There's really no excuse."
That brings us back to Lorrie Cranor. As both a security researcher and a victim of poor security practices, Cranor knows better than most that 100 percent guarantees simply don't exist in the realm of security. She also knows firsthand how much difference every added layer of protection can make. "There are no absolutes in any of this," she says. "It's all about managing risk."
To see how painless two-factor authentication can be for end-users, you need only to look as far as big-name companies like Google, Facebook, and Instagram to see how they're implementing the technology.
How to set up 2FA for Google
Google offers a bevy of options to help its users stay protected at varying degrees of intensity. From the company's 2-Step Verification page, any user can opt in to 2FA and then select from receiving one-tap prompts via the Google app on a phone, receiving short-term codes via an authenticator app, receiving short-term codes via voice or text message, and using a physical security key for verification. Users can also print out backup codes in case a phone or physical key isn't available and can specify backup phone numbers to which codes can be delivered in the absence of a primary device.
For G Suite accounts, Google's 2-Step Verification must first be enabled at the admin level. A company can then require all users to utilize the system.
For especially high-risk accounts, Google also now offers a next-level option known as the Advanced Protection Program. It works only with a physical security key and prevents all non-Google services from connecting to an account and accessing its data.
How to set up 2FA for Facebook
Facebook's 2FA options are similar to Google's, though not quite as extensive. Users can enable 2FA within Facebook by opening the Security and Login Settings page, then clicking the "Edit" button inside the 2FA section.
From there, simply follow the on-screen steps to set up 2FA and select a preferred method — an app-generated code, an SMS-delivered code, a physical security key, or a printed recovery code.
How to set up 2FA for Instagram
Despite being owned by Facebook, Instagram's 2FA options are still extraordinarily limited. What's more, management of the service's two-factor system is available only in its mobile apps and not on its website.
To enable 2FA on Instagram, open the Android or iOS app, navigate to your profile, then tap the 2FA option and activate the toggle next to "Require Security Code." Unfortunately, SMS-based codes are Instagram's only option for day-to-day use, though the service does, at least, offer the ability to get a list of backup codes.
Other sites and services
Most sites follow similar models for enabling 2FA, assuming they offer it in the first place, of course. An alarming number of businesses still don't. You can find a detailed community-maintained database of two-factor support status for well-known companies and services at the aptly named twofactorauth.org.
More on passwords:
- Ready for more secure authentication? Try these password alternatives and enhancements
- Free GoCrack password cracking tool helps admins test password security
- Want stronger passwords? Understand these 4 common password security myths
- Passwords: A long goodbye
- The 6 best password managers
- Vendors approve of NIST password draft