Two Factor Authentication, What’s that?
Two Factor Authentication, also known as Multi Factor Authentication (2FA/MFA) has recently been almost a requirement by most big platforms that handle your personal information.
In fact, Google keeps on sending reminders to accounts who do not have this additional layer of security enabled.
OK. What is this thing? And why should I care to enable this?
Let’s take a step back.
How does an attacker get your login information?
The most common way of how hackers manage to gain access to email and online accounts is by targeting the user with a phishing attack.
Users who are not educated enough to identify a potential phishing link, scam or attack will be falling for these attacks very easy, and before you know it, all your contacts are calling you why they are getting “these weird emails” from you?
No. They won’t always use your account to send emails to all your contacts. It really depends on the attackers motives, sometimes they will inject an app to stay in your account even after changing passwords.
In late 2018 people fell for a phishing attack, and then suddenly Google Docs had a pop-up asking the user to grant permission to read and send emails. In reality, this wasn’t Google Docs, it was a fake Google App which the attacker built, so even after changing your gmail password, the attacker would still have access to your inbox.
Google has since made some changes to prevent such attacks from repeating itself.
The Google Jigsaw Team later released a Phishing Quiz to educate end-users how to properly identify Phishing URLs.
Why should I be so concerned if my gmail got hacked?
A fellow friend asked me this question.
I started to get upset on him for asking such a stupid question, but then I realized that not everyone really understands the potential harm a hacked gmail account can cause.
I started explaining him, that it’s not about the emails he is sends to his friends, family, shopping etc. These hackers are not here for data collection and are not getting excited to see that you bought your winter boots at Macy’s. No… Once they are here to access to your email account, they can reset your Bank, PayPal & Credit Card account information. They can open fake websites as well as getting access to ANY online account you have, you can find yourself overnight with your money and identity stolen, all of this happened while you were sleeping calmly.
True, you can start the process to fight back, provide the banking companies evidence that your account was compromised, and do so with the rest of the places where they damaged your identity etc.
Is it worth it? is the time, pain, money and energy spent to undo all the damage worth it? Absolutely not! I mean, Yes. It is worth to spend all these resources to get your name and money back, but it’s not worth it leaving your account without proper security.
How do I protect my account?
If any firm tells you that they will be securing your online data 100%, they are lying to you. No one is secured on the internet! Not the Pentagon and not the best InfoSec engineers.
So what are we doing?
Obviously step one is to set a strong password. Not your mobile phone number, Password1, 4321 or something that “will be easy to remember”.
Password managers like 1Password & LastPass are the way to go, it’s easy to use, very small chances of getting breached, and lastly, you don’t have to remember any of your passwords.
Linked above, a descriptive video you might find helpful to understand how these password managers work.
Note: We do not have any affiliation at the time of writing this with any password manager companies, nor with LTT or Techquickie.
Two Factor Authentication to the Rescue
Some people look at it like a pain in the butt. Well… It’s definitely not convenient to go through an additional step to access your mail account, hence people tend to avoid it. But it’s absolutely worth this “hassle”.
How does it work?
When you setup 2FA or MFA, the platform you are setting it up in will give various options of which secondary methods you can use.
In most cases, it’s an Authenticator App, Phone Call, SMS or some additional security check that you have to enter a bunch of secret answers which they will randomly ask upon login.
There is so far no method which has been proven as ‘the most secure method’.
Once you have 2FA enabled, at your next login you will have to enter the secondary method you configured on the platform. If you failed the secondary auth, you will not be able to access your account.
This is exactly the point of 2FA.
Imagine you accidentally clicked on a phishing link and entered your login credentials, if you don’t have 2FA enabled, the attacker can now access your account. But if you do have 2FA enabled, they can try to access your account with the credentials you entered under the phishing link, but they will not be able to, thanks to your extra five minutes of enabling this crucial security tool.
Yes, if you fell for a phishing scam, you still need to change your password even with 2FA enabled. You don’t want the attacker to have any password you use.
I will definitely come back to this topic more, but that’s it for now.
Stay safe.