We all know this nightmare scenario: in the news, a large cloud provider is again becoming the victim of a hacker attack. Millions of access data were stolen and are now no longer secure. In the worst case, the access to the account is closed, and you do not have access to it yourself.
Passwords alone are not safe
But if you double up, you will be spared such a fate. We'll show you how to do this with 2-factor authentication.
Access despite lost password
The need to secure additional accounts becomes clear only when you consider what hackers can now handle with the latest technology.
Alternatives to mobile authentication
Brute-force attacks, dictionary attacks, database attacks or a combination of all three are the thieves of cybercriminals. BruteForce, the systematic testing of millions of character combinations, is eliminated by increasing the complexity of the password. As soon as you include numbers, special characters and / or punctuation marks, the number of necessary cracking attempts increases to the exponential.
Advantages and Disadvantages of 2FA
Lesetipp: Create secure passwords
Dictionary Attacks can be easily removed by not using entire words. Cracker tools combine words as simply as if they were single letters. This means that even long passwords, which span multiple words, are unusable.
Rare in use, but all the more dangerous, are cracking approaches using databases. These smart hacker tools recognize words even when their components are replaced by numbers or special characters, e.g. "P4 $$ w0r +". The databases also contain stolen passwords and password fragments. In a field trial of Ars Technica, three crackers managed to crack difficult passwords like "Apr! L221973", "Sh1a-labe0uf" or "Philippians4: 6-7" within a few hours.
And for such a case you should equip yourself. Not only if you are a victim of a cyber attack - often enough you do not use the online account for too long and the credentials are forgotten.
More and more websites have recognized this and implemented 2-factor authentication (2FA). Someone who wants to log in from an unknown location or an unknown device must therefore identify themselves in two ways. On the one hand with the correct access data and on the other hand with a second method, which is linked to the property of the user.
Typically one connects the own handynummer with the account. For authentication, a temporary code is then sent to the number with which the login is possible. On this principle, authentication is also based on TAN procedures for online banking. 2FA is usually found relatively easily in the account settings of each online service. For example, in Google, click your profile image in the upper-right corner of the Web page, then click My Account - Login and Security. In the left-hand pane, navigate to logon to Google. Once there, click 2-step verification and follow the instructions for setting up your hand-held number.
In a similar way, most of the services are handled. Unfortunately, the term "two-factor authentication" is not yet common enough, so you will find various descriptions for that.
However, the biggest vulnerability of 2FA is the risk of phishing websites.
Lesetipp: To unmask phishing mails
What if the phone is lost?
To be protected in this case, you can get a USB dongle for your most important services, which is safe as local hardware against such attacks. A provider of this process is the FIDO Alliance, a group of organizations (Google, Microsoft, Paypal, Samsung, Mastercard, Visa, etc.) who have agreed on a security standard. To benefit from this, get a USB dongle that supports this, such as the Security Key from Plug-up International, which is available for about 5 euros at Amazon. If you want to login, first enter your access data, push the USB stick, press the button on the stick and you are already logged in.
Alternatively, 2FA is also available via the so-called Authenticator app. The principle of 2FA remains the same, but app implementation ensures that you can create the access codes for logging in through the app instead of obtaining it on the site (which could be phishing). However, the few services offer this possibility so far, e.g. Google Authenticator.
Virtual Handynummer
The added value of safety results from the combination of several procedures. Two factors together are safer than just one by one. So if someone steals your credentials, the entire online account is not lost immediately. Instead, you have time to replace the password and take additional action. If someone tries to log out with stolen data, this registration attempt will be communicated to you of course on the mobile phone. Thus, you know at an early stage that someone is making the account and can even find the location of the misbehavior. To do this, ensure that log-in notifications are enabled for each service.
The few disadvantages are more convenient: in order to always have access to your accounts, you must always have the mobile phone handy and recharged. It is even more annoying when you have to bounce the USB dongle or the Authenticator app every time.
If you are using a new computer or have created a new browser, it may take some time until the "new site" is registered and you are no longer prompted for authorization. It is even more annoying when you buy a new phone and can not keep the old number. It is therefore recommended to keep a list of all services that are secured with 2FA and update them at an early stage with the new handyname.
These inconveniences should be more than worth the tremendous security of your accounts.
Probably the most common concern about 2FA is the question of theft or loss of the mobile phone or the authentication device. This case is rarely problematic since you have already verified yourself on at least one familiar browser with a fixed location (at your home). From there, you should easily delete the lost handyname and add a new one.
If for some reason this is not possible, you usually have two options
1. Many services provide unique backup codes that you can request and store securely to log in in an emergency. These codes remain active until they are used and can be used independently of the mobile phone. You will also receive notification when one of these codes should be used.
For example, in Google, you can request these codes by clicking My Account Sign-in at Google Confirmation in two steps. From there, you can retrieve them in the spare codes section and save them in a text file or print them.
This functionality is not yet offered by any service, so make sure you know if this is suitable for you. Under the keyword "backup codes" or "backup codes" and your desired service, you should find them in search engines.
2. The second way to double-check is to use a redundant hand-number. If you have a second handy that can receive SMS, you can enter it as a backup for use in case of loss or theft of the first handset.
In our example, Google navigates back to two-step verification, and then simply click Add Phone Number in the Replace Numbers section. The second mobile phone is easy to store at home and use it as an effective authentication device.
However, you do not always want to use your private handynummer for such purposes, especially if you do not necessarily trust the provider. Instead, Ringring offers a "virtual" phone number that allows you to receive short messages free of charge.
To do so, register with your e-mail address at www.ringring.net. There you will be assigned a new, random telephone number with the prefix Berlin or Vienna. You can then use these to secure your accounts. However, make sure that you exclude your profile from search results in privacy settings.
No comments:
Post a Comment