Here is why you must set up two-factor authentication (also called 2-step verification) wherever you can. Many places now offer it, including Facebook (called “Facebook login approvals”), Paypal (“Paypal Security Key”), Twitter, and, of course, Gmail (Google).
You may recently have read the story of how Naoki Hiroshima lost their Twitter account, valued at $50,000, to a hacker. Basically the hacker managed to get into and redirect Hiroshima’s email domain, allowing the hacker to do password resets on some of Hiroshima’s accounts, and intercept the password reset emails.
The hacker first tried hacking into Hiroshima’s Paypal account, which didn’t work, because they were stymied by Paypal’s two-factor authentication. (Unfortunately, the hacker then simply called Paypal, and through some social engineering got a Paypal employee to give the the last four digits of Hiroshima’s credit card on file, which in turn the hacker used to convince GoDaddy that they were Hiroshima.)
Anyway, all of this serves to highlight this: You should have two-factor authentication set up with every account that offers it. And, if you are using a service that doesn’t offer it, you should request that they do. Maybe even threaten to switch to another, similar service that offers it – in fact, maybe actually switch to another service that offers it.
(Two-factor authentication is basically having two passwords, the second one of which is randomly generated, and is good for only a few minutes, and is delivered to you through a device, an app, or an SMS text message.)
Whenever possible you should set it up as an SMS text message direct to your mobile phone.
Here’s why: Some places (such as Paypal) offer you a separate device with which to generate a special one-time code, like a keyfob or credit-card sized “security key”. Other places, such as Google, offer you a standalone app that will generate a special one-time code for you. But (nearly) all places offer the option of having the random code for your 2-factor authentication delivered to you by SMS text message.
Paypal’s Security Key Options
Now. Imagine you use the security key offered by Paypal. And imagine that you lose your wallet in which you keep the security key. Suddenly you are locked out of your Paypal account.
Similarly, imagine that you use the Google authentication app on your phone. And you lose your phone. Even if your phone doesn’t fall into the wrong hands, you have no way of accessing your Google account, because you can’t get the code from the app.
But, if you instead have set up all of your two-factor authentications to come to your cell phone as text messages, and if you lose your phone, it’s a simple matter of having your phone carrier (i.e. AT&T, Verizon, T-Mobile, etc.) turn off the SIM card in your lost phone, and reactivate it in a replacement phone. You will have the same phone number, and your two-factor authentication texts will still come right to you.
All that said, here is a list of the more popular services and social media of which we are aware that offer 2-factor authentication. To the best of our knowledge, they all also offer the code-by-SMS-text-message option, unless otherwise noted. If you run into any that don’t, or if you know of other services that offer 2-factor authentication, please feel free to add them in a comment!
Lastpass – unfortunately Lastpass doesn’t offer an SMS option, you have to use the Google authenticator app.
For a more comprehensive list of websites and services that offer two-factor authentication, incuding financial services such as CitiBank, Bank of America, and Charles Schwab, see Evan Hahn’s Two-Factor Auth List.
For a list of domain registrars that offer two-factor authentication, see Elliot Silver’s List of Domain Registrars that Offer Two-Factor Authentication over at DomainInvesting.com.
|Get notified of new Internet Patrol articles! |
You might also like some of our other articles: