One-factor authentication is typically something you know, like a password. Two-factor is something you know, plus something you are (such as a fingerprint or iris scan) or something you have. In this case, a six-digit passcode sent to your mobile phone means that your password would have to be compromised AND your mobile phone stolen.
From the DropBox Blog:
“Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account,” Dropbox writes. “Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox or link a new computer, phone, or tablet.”DropBox has had a number of security breaches in the recent past. In July of 2011, a "code update" allowed anyone with a DropBox account to log into any other account. In July of 2012, usernames and passwords stolen from other web services were used to compromise DropBox accounts. The same attack was used to hack 400,000 Yahoo! accounts this summer. After continual promises to do better, has finally made a change that might make a difference.
Google already offers what they call two-step verification, but some researchers, including Bruce Schneier, say two-factor authentication solves "problems we had ten years ago." A virus called the ZeuS Trojan has already been discovered that specifically targets bank tokens, effectively stealing the code from your mobile phone.
The lesson learned from all of these hacking events - use different, strong, passwords for each of your accounts, and turn on two-step verification when you can. Unfortunately, strong passwords remain our first line of defense in Internet transactions. Adding a second factor to that protection might not solve the problem, but it makes both hacking accounts, and logging into your own account, a bit more difficult.
image: http://www.security-faqs.com/
Article first published as Will Two-Factor Authentication Become the New Normal? on Technorati.
1 comment:
I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your personal information isn't up for grabs. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.
Post a Comment