09 August 20, 10:23
Quote:Continue Reading
Staying secure is a journey with multiple steps
What is MFA (and why should you care)?
In a nutshell, multi-factor authentication (MFA) means using something else besides your password to gain access to your account. There are many ways to do this – some, such as texting a one-time PIN to your phone are less secure than others, such as using a $25 Google Titan security key or the free Authy/Twilio smartphone app. The idea is that if your password is compromised (such as a reused one that has been already leaked in another breach), your account is still secure because you have this additional secret to gain access.
Is MFA slightly inconvenient and does it require some additional effort to log in? Typically, yes. However, when weighing this inconvenience against the consequences of having your identity or funds stolen because of poor security hygiene, it becomes clear what’s at stake.
Twitter was recently hacked, and it appeared to be a social engineering ploy on one of its employees. The hackers were able to reset account passwords through their administrative tools, regardless of whether MFA was enabled or not.
After hearing the news, I realized that I still have enabled SMS on Twitter and also on PayPal. It’s important to note that this method is less secure than others. With that in mind, allow me to give you instructions on adding the best kind of MFA to your accounts.
Setting up MFA methods on Twitter
For Twitter, go to Settings and Privacy, click on Security, then click on Two-factor authentication. You should see the screen below, where you can select up to three different methods to use to protect your account.
Text messages, which is, as I mentioned, the least secure method. This is because hackers have figured out a variety of ways to neutralize the PIN transmitted in this fashion. If you are intimidated by the other methods mentioned below, then yes, SMS is better than nothing. But if you can push onwards and implement one of the other methods, you will be better protected.
Authentication app, which uses a free app on your smartphone from Authy (Google, Microsoft and many other vendors also offer one) that generates the one-time PIN. You bring up the app, you look for the particular website you want to access, and you copy the typically six-digit PIN from your phone to the login page. The PIN changes every 30 seconds, so the only issue is to make sure it hasn’t changed between the time you saw it listed and the time you needed to successfully login. If you don’t have a smartphone then you obviously can’t use this method. But otherwise it is a relatively simple process – you are prompted to re-enter your Twitter password, then you scan a QR code with your phone to link the authentication app with your Twitter account, then enter the PIN number displayed on the app back on your computer at the appropriate login prompt to verify the connection.
...