Security seems to be THE hot topic in the world of IT nowadays, and it is not without good reason. So much of our life is kept online or on a computer. Bank accounts, credit cards, social media, work accounts, shopping lists, gaming profiles for multiplayer gaming such as on this Minecraft server list – if you can name it, it is probably on a computer somewhere. As we entrust more and more of our personal information to technology, the importance (and difficulty) of keeping that information safe is ever increasing. No doubt many of us are familiar with some of the more widespread advances in IT security – a prominent one being the increasingly popular two-factor authentication like you’re able to find many banking apps similar to SoFi and others using to further enhance your banking security when online.
For those unfamiliar with Two-factor authentication, it refers to double-gating security using two of the three categories of authentication. These authentication factors are most easily described as “what you know” (knowledge factor), “what you have” (possession factor), and “what you are” (inherence factor). A common example of a knowledge factor is the standard password. A password is merely information you have memorized. One example of a possession factor is sending a code to your cell phone. Your unique cell phone is a physical object that no one else should have easy access to, so a code sent to your phone would be heavily protected, and only accessible to the legitimate account owner. Inherence factor almost exclusively refers to biometrics, whether that be fingerprint readers, retina scanners, or DNA scanning.
Two-factor authentication can be tricky to implement, especially on a large scale. Biometrics can be tricky and/or costly to implement, so practicality mandates that widespread two factor authentication work off of the “what you know” and the “what you have” metrics. Everyone is familiar with the idea of the password, but such information is vulnerable to attacks, whether that be brute force, a phishing scheme, or some sort of social engineering. The possession factor is the one that holds the most promise for increasing security at a reasonable cost. The most popular method to date is sending a passcode to your phone. This method is certainly a huge boost in security from the traditional password, but it is not as infallible as once thought.
Take a common vishing scheme for example. The scammer calls and says he has found fraudulent charges on your checking account. He needs your account name and password to fix the issue. Even if you give him your name and password, you luckily just had two-factor authentication enabled, so the scammer is stopped by the need for a unique passcode sent only to your phone. Unfortunately, all the scammer needs to do is ask for that extra passcode, and he has cracked the two-factor authentication. If you provide him with both your login credentials and the passcode, you’ve handed over the keys to your account – so there is still some responsibility required on your part.
To rectify this, a new form of possession factor security is starting to hit the market. It is a physical key with its own unique signature tied to your accounts. Software that has integrated “universal two factor authentication” can now recognize this physical key through USB port instead of simply using a code sent to your phone. With reliance on a hardware key, the scammer cannot access your account no matter how many passwords you give him, because he cannot gain access to your physical key, unless he is there in the room with you at the time and you hand it to him, which isn’t very likely to happen..
While some keys such as Yubikey and Feitian are already on the market, Google is getting ready to release their own version to the market. Price projections are currently around $20-25, depending on where you purchase it from. We believe that this technology is worth looking into, especially as more online services begin supporting this secondary method of authentication.
These instructions tell you how to setup a USB security key to work with Google on your computer and other devices: https://support.google.com/accounts/answer/6103523?hl=en&co=GENIE.Platform%3DDesktop&oco=0
As always, let’s be safe out there!
-The PJ Networks team
PS – If you like our posts, please share them with your friends and family!