At the last company I ran, Bmycharity.com, we needed a 2 factor authentication system to pass the stringent PCI certification requirements as we were processing lots of credit card information. It cost a lot of money and you needed to carry yet another device around with you.
It was good though, it really worked, but what is it?
Simply put it works by requiring 2 pieces of information from you when you log in, something you know and something you have. Your password you know, hopefully, you then generate a code from the security device (the something you have) and log in. The code you generate only works once, so even if someone sees you enter the code, or somehow records it, it is of no use to them after you logged in, neat huh?
Without something like this all that a hacker needs is your password and they might as well be you. You should of course have a strong password policy enforced on your system but then what tends to happen is that people write passwords down because they are complicated, back to square one.
The good news is that if you use Google there is now a free (of course) solution provided by the mighty G. 2 factor authentication is now available on all Google accounts after initially rolling it out to Apps customers.
This really is a great addition to your account and I strongly urge you to use it. The more information you store in Google the more attractive it is to hackers, do you really want anyone with an internet connection to be one (maybe simple, maybe written in your wallet) password away from being able to use your Checkout account?
It gets better; you don't need to buy or carry round another electronic device, in fact you probably have it already - your phone. If you have a BlackBerry, iPhone or Android powered phone you simply install the App on your phone which generates the one time access codes.
There are a couple of nice touches too, if you use the same PC all the time and you are happy that it's secure, you can check a box at login and it won't prompt you for another code for 30 days. For apps and services that don't know how to prompt you for a verification code, like deploying App Engine code for instance, then you can generate an application specific strong password from your account page.
I've been using it for about a month now and have no complaints, although I've had to find my phone a few times to generate a new code, the frustration soon wears off knowing my account is secure and hey, I know where my phone is, all good.
There is a getting started guide here, go and do it now and you will sleep better tonight.
Matt - thanks for this excellent summary and guide. After reading it I merged my Google Apps account and my Google account and then applied 2-step verification. I will certainly sleep better tonight knowing I have that extra layer of protection.
ReplyDelete