Another day, another online service adds two-factor authentication to its list of features. This time it was Evernote, the cloud-based note-taking service that hackers managed to compromise and use as a command and control server on two separate occasions in March.
So in vogue is two-factor authentication that while I was writing this very report, which was supposed to be about Evernote, LinkedIn implemented its own two-factor authentication, and I now I’m covering that as well.
Unfortunately, two-factor authentication is sort of old news at this point. Gmail implemented its two-factor feature in September of 2010. We were writing articles about two-factor at Threatpost almost four years ago, when security experts heralded the concept of multi-step logins. You should still use two-factor to protect sensitive accounts when you can, but it is more widely seen as another roadblock for hackers than it is as the account takeover panacea.
It seems though that Apple’s and Twitter’s wildly belated decisions to implements their own two-step login features may have been the catalysts driving this second wave of two-factor new-comers. This is a good thing. There is very little reason not to offer the two-factor option.
Evernote’s plan stands out because they’re rolling the feature out in waves, first to paying premium customers, then to everyone else. Beyond that, LinkedIn and Evernote’s two-factor systems are nearly identical to those implemented by your bank or Google almost three years ago: if enabled, users are required to enter a second verification code (in addition to their login-password combo) when they log in. For the most part, these systems rely on sending the codes via SMS or mobile code generator applications like Google Authenticator or the code generator built into the Facebook mobile app.
Unfortunately, hackers have been circumventing SMS PINs for some time, most notably in man-in-the-middle attacks on mobile devices.
Two-factor is the best you can do right now with a lot of your popular online services, but there is a serious race to replace passwords going on right now, and it involves everybody from Google to the United States Department of Defense. It’s only a matter of time before we are all getting authenticator tattoos or eating pills in order to sign into our email accounts.
In the meantime, you should go ahead and implement that two-factor authentication for any online account that you don’t want compromised. Between the two-factor and your strong passwords, you can pretty safely assume that you won’t be the slowest gazelle on the savannah, which is a solid deterrent to the cybercriminals that prefer to prey on the lowest common denominator.