The recent HeartBleed security concern has a lot of people rushing to change their passwords on various compromised sites. This is because security experts just don’t know what information could have been taken. While that advice is solid, because you should be changing your passwords frequently anyway, a password is becoming less and less of a secure way to protect your sensitive information.
What you can do to add the best layer of security to your web experience is to enable two-factor authentication when available. This will make your account more secure as not only does it require your password to login but it will then require a second form of authentication. There are many different forms of two-factor authentication as well as major sites that currently allow you to enable two factor authentication.
Two factor authentication keeps your account more secure as it requires an additional step after entering in your password. in many cases this equates to receiving a text message with a verification code after logging in. This requires you to not only know your password but also have your phone physically with you.
A second type of 2 factor authentication is having a code generator token with you. This can be a physical token or a code generating app on your phone. They use a unique code shared between the two devices to generate unique numbers required when logging in. These offer a great deal of security because they are harder to crack, but require you to carry a physical token or have an app on your phone. However, a physical token can be easily lost and an app will be lost if you need a new phone for any reason.
Another form of authentication is biometric authentication. Using your fingerprint, eye or facial recognition are ways to tell that it is actually you. These methods are currently used primarily in restricting physical access to locations but with the addition of facial recognition software and fingerprint reading hardware being added to phones it’s just a matter of time before this authentication method could reach more mainstream uses.
My preferred method for two-step authentication is also the one most popular for online websites. That is using text message authentication codes as a requirement for logging in from an unauthorized device. While it may seem like an inconvenience to have to wait for a text message when you want to log in to check your GMail, to me it lets me know that there is no way to log into my account, from an unauthorized machine, without my phone in hand.
Besides Heartbleed there is many other ways for people to become victimized. Social engineering attacks happen frequently and the best way to prevent them is to be as secure as possible. One recent example is of a man who lost a twitter account valued at $50k due to being blackmailed after having his GoDaddy account compromised and his domains held hostage. That is a very extreme example, but both GoDaddy and Paypal offer two factor authentication and had they been deployed on this person’s accounts it likely wouldn’t have ended the same way.
Many other scammers try and trick you into giving your login information to them through a form of phishing. Tricking you into thinking you are logging into the valid company website when in fact you are logging into a fake site they own. They go to great lengths to fool you and sometimes it’s very difficult to tell a fake email from a real one. I even have a blog, dedicated to spam, that occasionally highlights these type of spam mails and how to properly spot them. The best way to protect yourself is to just go directly to the company’s website through a bookmark or by typing/Googling the URL rather than clicking on a link in the email.
So keep your passwords secure, but keep your accounts even more secure with two factor authentication. Even if a screw up happens and lets your password out into the wild, you will still be protected. It’s amazing to me that this still isn’t offered on more sites, specifically financial institutions. Hopefully soon all websites that keep your sensitive information will be set up and allow you to configure some type of two factor authentication.