Taylor Breland

Cyber Security Analyst.

5 minute read

If you want to further protect your accounts on various websites, you will need to apply more security controls than just your username and password. Two-Factor Authentication(2FA) is the best way to do so. Hopefully after reading this you’ll understand how 2FA works, and why you should enable it whenever possible.

Enter Your Password

Long gone are the days of not worrying if hackers are able to gain access to your accounts. They will. It’s not a matter of if, but when. Whether you get phished on accident through email, or if there is a data breach at a company, your credentials are going to get exposed in the hacker world for some nefarious purpose. Now before you panic, obviously this is a very grim look at cyber security controls and policies that are supposed to protect you from these things. However, a somewhat counterintuitive notion that exists within cyber security is that, “hackers are going to get through.” Yes, you read that correctly. We should expect hackers to be able to get through security controls, but it doesn’t mean they will be successful in the long run…

Defense-in-Depth is a cyber security principle that basically outlines a plan for your overall security infrastructure. These defenses can include things like physical security controls (door locks), cyber perimeter defenses (firewalls, IDS/IPS) and endpoint solutions (antivirus). All of these controls together will be your defenses against threats, both physical and in cyber space.

“Ok, but what does this have to do with my online accounts? I don’t own a business, and I’m not protecting a building. I just have facebook login.”

We can apply defense-in-depth tactics to your online accounts as well. So while hackers might be able to figure out your password, it doesn’t mean that if a breach occurs they’ll be able to access your account. This is where Two-Factor Authentication comes into play. This kind of authentication relies on 2 or more ways (multi-factor authentication/MFA) to be able to verify who you are for an account. It’s really that simple, but highly effective.

Who are you??

I think we can all agree that having a long and complex password is the best security practice when making online accounts. Don’t believe me? Read my password article and then come back to this one. Let’s assume though that your password gets compromised, and the attacker is able to use your account. What do you do then? You can and should change your account password as soon as you realize there’s a breach. However, what if your account gets compromised again? It would be a pain to keep doing this every time there was a breach, and there’s no telling how much data the attacker was able to get on each successive attempt. Ideally, we want a “just in case” security control that will stop the attacker even if they have our password…

2FA can solve this problem. Essentially, we need another method of authentication that is seperate from just our password. How can we do this? Well, what if when we logged in with our password, it also asked us for a 6 digit code to be put in as well? This 6 digit code would be made available to us either via text message or authentication app that only we would be able to see and nobody else. To make this even better, the 6 digit code also randomized every 30 or so seconds, which means that nobody would be able to guess the 6 digit code in enough time to break through. This is what makes 2FA very powerful.

We can severly limit the chances of an account compromise if we make authentication more complex. More complex websites and services will even notify you when they see an unauthroized attempt of a login on your account. Facebook does this very well. They give you the IP address, device type, and location of the attempt. If you have 2FA on, it will prompt that user that put in a code, which of course only you will have. Your account will have been secured.

We can even expand authentication to more than just passwords and codes, but to your biometrics as well. FaceID and fingerprint scanning for phones are great examples of this. The idea is that only your face or fingerprint will be able to unlock your phone. If you use a passcode for your phone too, you’ve definitely lessened the likelihood of a physical compromise for that device. Essentially we can break down 2FA or MFA into these three categories:

  1. What you know: password
  2. What you have: keycard, one time code
  3. What you are: face, voice or fingerprint recognition

Using a combined method of 2 or more of these is highly recommened whenever possible.

Enabling 2FA/MFA

If you’re concerned for a potential account compromise, I highly recommend to check out the website and see if they offer some kind of 2FA/MFA for your account. It’s a very simple set up, and often times it’s going to be just a code they can just send to you via text or email. It will only be valid for an X amount of minutes and after that you’ll have to have a new code sent. You also probably won’t have to do this every time you log on either (depends on the site). As mentioned before, various sites track information about the devices you normally log in with, their location, browser and IP address. If you normally log in from the same device, unless your device has been stolen, the site is going to know that it’s probably you logging in, and will block any other attempts.

I would highly recommend to check to see how that specific site is running their 2FA/MFA services, and how you can integrate that into your existing account in the most efficient (but safest) way possible. There are also 2FA applications that you can download to manage your websites that you have 2FA enabled on. This makes it easier to log into various accounts and not have to track down codes from emails or text, especially if receiving the codes via those methods is not secure on your end. Duo Mobile and Google Authenticator are two apps I’ve seen being used a lot in the workplace. You can extend this to your personal accounts as well.

This wasn’t one of my usual longer articles, but I felt that 2FA is very underutilized for a lot of personal accounts. This isn’t to say that 2FA will solve all of your account compromise problems, but it’s a damn good defense to have in your arsenal.

Thanks for reading!

You May Also Enjoy

Happy New Years!

less than 1 minute read

Happy New Years everybody! Here’s to hoping that your year is filled with joy, excitement and fulfillment of your goals. I have a feeling that the cyber sec...

Exploiting Log4shell

5 minute read

This article is intended to show the Log4shell exploit in action. If you’re unfamiliar with what Log4shell is, please read this article. Essentially, we’re g...

Log4shell Vulnerability

5 minute read

WHEW, it certainly has been one hell of a year for cyber security, and it’s only getting more intense. You may have heard of the recent vulnerability dubbed ...

Finding Passwords with Wireshark

8 minute read

So we’ve already seen how we can collect credentials through using SET (Social Engineering Toolkit). Now let’s see how we can get credentials using a network...