"Who would want to read my email?" I can hear some of you saying. The answer is they don't, they want to mine it for financial or personal information they can sell, or use it to solicit money from your friends and family.
The scam works like this: The bad guys hack your password and send an email to all your contacts claiming to be you and begging them to wire funds because you are stranded.
Sounds silly right? If it didn't work they wouldn't do it. Even if only 1% of the people take the bait it can be significant, and the level of effort to get the money is extremely low.
A username and password aren't enough these days, you need something more. So how can you protect yourself? The answer is 2-factor authentication.
2-factor authentication (2FA) requires you to provide something you know (your username and password) and something you have (a token code) in order to log in. Using this method means that even if the bad guys guess your username and password they still can't log in, because they lack your token.
Many companies these days use some form of 2-factor authentication to protect themselves and their employees, why should you deserve any less?
Where can I use it?
A growing number of consumer services offer free 2FA, including Google, Facebook, Twitter, and Microsoft.
Once you have the app set up and your account configured any time a login request is made from a device it will prompt you to provide the token code in addition to your username and password.
Alternately if you don't have a smartphone or use an older BlackBerry, you can have Google text you a code instead of using their app.
"Oh come on, I don't want to have to do that every time I check Facebook."
I agree, which is why all these services will let you set your personal devices to not require the token. Now when you go to gmail it just lets you in as usual, but any attempt to access your account from a new device (or a bad guy half way around the world) will be stopped by the token requirement. Basically you've added an extra security layer for unauthorized access prevention without really inconveniencing yourself.
What I like about the Google Authenticator app is it can be used for more than just your gmail account, Facebook and other services have the ability to use it as well. I can use one app to protect multiple accounts.
Microsoft takes a similar approach. As with Google, you can flag your personal devices to not require the 2nd level of authentication while still requiring it for all other devices.
OK how do I do it?
For Google you just follow these steps:
- Go to the 2-Step Verification page. You might have to sign in to your Google Account.
- In the "2-Step Verification" box on the right, select Start setup.
- Follow the step-by-step setup process.
Once you're finished, you'll be taken to the 2-Step Verification settings page. Review your settings and add backup phone numbers. The next time you sign in, you'll receive a text message with a verification code. You also have the option of using a Security Key for 2-Step Verification.
Note: To ensure that you can access your account in the future, add an email recovery option as well.
Really advanced security can require plugging in a specific USB key or verifying your identity by fingerprint.
I don't recommend the USB or biometric (fingerprint) approach, it may be overkill for your personal use, but I strongly suggest that everyone use 2FA to protect themselves. It's minimal effort to set up and can really help.
The bad guys are counting on people being too uninformed or lazy to bother. Readers of this blog don't have to fall in to either category.
-The Home Geek