By Joe Callison
2 February, 2017
Most of us rely on passwords for secure access to accounts on various web sites. Besides the possibility that weak passwords can eventually be broken, there are more and more elaborate phishing schemes to trick you into entering your password in a fake login screen that looks legitimate, but is there to steal your password. Many major companies are now joining an alliance to support a standard 2-factor authentication process that is easy and economical to greatly improve login security.
2-factor authentication has been around for a long time in various forms. It consists of two methods for access, one of which is usually a password. The second method used years ago was typically either a “dongle” containing a digital key that you plugged into a serial port, or a code sent by a pager that you entered. With the growing use of cell phones with text capability, it has become common to implement 2-factor authentication by sending a code to your phone which is entered to complete the login. This can be a problem if you cannot get a cellular signal, and is not secure from “man in the middle” attacks, which means monitoring the signal from your phone to get the code and logging in using a stolen password. This is an actual risk in areas where people use public Wi-Fi access.
A new, more secure 2-factor authentication method has been developed as a joint effort between Google and Yubico, with support from NXP. It is being promoted as a free and open standard under a consortium known as the FIDO Alliance. Many major companies are supporting or plan on supporting the standard. Google, PayPal, Facebook, Dropbox, SalesForce and others currently support it and recently Microsoft Edge and Mozilla Firefox added plug-in support for it. Yubico and other companies produce inexpensive physical keys used for the second factor in lieu of using a cell phone. There are several forms, depending on the technologies employed. They include USB, Bluetooth, Near Field Communication (NFC), and various biometric methods. The simplest and lowest cost implementation is a USB device with a button on it that generates an encrypted code when pressed that is registered with the web site as the identity for the second authentication method. As long as you are in possession of the USB device, you have an easy to use and secure method for access to your accounts. For access to 2-factor secured accounts from a smart phone without USB, you would need one that includes Bluetooth or NFC to communicate the code to your phone. Note however that even though Apple iphones use NFC, they do not currently support using it with devices from 3rd party suppliers. Even though the devices are advertised as being very durable and can even go through the laundry or be run over by a car without damage, they could still possibly be destroyed, lost or stolen, so it might be wise to purchase and register two of them to your accounts and keep one of the two devices stored away in a secure place as your backup.
For a comparison of the Yubico devices and links to further information, see the following: