“Epic Hacking” Story Is Why You Need Google's Two-Factor Authentication

Many attacks would not be possible with the feature enabled

  Google Authenticator is a great tool for two-step verification
By now, you've probably heard the story of the Wired journalist that got hacked in the worst possible way, having his Google account erased along with all of his Apple devices, his phone, his tablet and his laptop. It's a scary story only because it can happen to most of us.

By now, you've probably heard the story of the Wired journalist that got hacked in the worst possible way, having his Google account erased along with all of his Apple devices, his phone, his tablet and his laptop. It's a scary story only because it can happen to most of us.

The story also uncovered some worrying security policies at both Amazon and Apple. Once again, the weak link was human, tech support at both companies was fooled into granting access to accounts to the hackers.

To call this social engineering would be to give too much credit to the hackers, it was simply poor policy and lax enforcement at both of these companies.

But it's not just Apple's or Amazon's fault since there are steps you can take to better protect yourself. One of the easiest and one that you should definitely take is enabling two-step or two-factor authentication or verification. Matt Cutts strongly recommends it.

Google pioneered the feature in the mainstream web, but others have followed, notably Facebook. Dropbox will be adding something like this as well, in the wake of some hijacked accounts.

A two-step authentication system, like the name suggests, requires two steps, two pieces of data. One is your password, which can be stolen, guessed or broken.

The other is a one-time code you get from your phone, either via an SMS from Google or from the Authenticator app. The app ensures that you can get the code even if you don't have a phone signal, or changed your number and so on.

As a last resort, if you don't have your phone, there are 10 one-time backup codes you can use to get access.

This may seem like a hassle and it is, but you only need to do it once a month on your computers. A hacker trying to log into your account for the first time will have to provide the security code as well, which won't be available unless the hacker has access to your phone. That is not the case in the vast, vast majority of times.

This simple step will make most of the attack attempts today unsuccessful and you'll be glad you did it when the alternative would have been the loss of years of email archives, at best.

Comments