What is 2-step Verification and why should I care?
I’ve just enabled 2-step verification for my Apple ID. Why did I do this, and what does it all mean?
Update: Microsoft have just announced that 2-step verification will soon be coming to Microsoft Account services. This will include Windows, Phone, XBox, SkyDrive, and the online versions of Office and Outlook. The rollour will be happening over “the next couple of days”. Excellent news!
Your email, Facebook, Twitter, your bank, your favourite websites – they all have passwords. And, all these passwords are complex, hard to guess and different, right? (they should be!)
More and more stuff is moving online these days, and what you do online is increasing. This is good for us, but it’s also good for the Bad Guys. If the Bad Guys can access your accounts, what they can do today is much greater than a few years ago. It used to be that if your account was “hacked”, your friends might get some lewd emails and it would all be very embarrassing. Today, you can expect loans to be taken out in your name, money transferred out of your account and your iPhone and iPad to stop working.
Is this likely? Well, probably not no, not in the grand scheme of things. There’s lots of people in the world, and the chances of someone choosing you as their next victim are quite low.
But don’t tell that to anyone who’s been the victim of Identify Theft, or had their credit card details swiped. Just because it’s not likely, doesn’t mean it won’t happen.
Do you have house insurance? Of course you do.
All things being equal, the likelihood of your house catching fire in 2012 was 0.165%. If that’s high enough for you to take out insurance, you need to read on.
Think about how all your accounts are chained together, to make things easy for you. Your Amazon account – the username is your email address, right? And the password reset email goes to… your email address. So, Bad Guy gets your email, he gets your Amazon account. Do you have 1-Click ordering turned on, or your credit cards stored with Amazon? That’s just going to be annoying – you’ll need to cancel the card, send the books back. But what if you have a Kindle?
Deregistering a Kindle will remove all the content and stop it working. It’s not a major pain, as your books will be stored on your Amazon account… as long as you can get it back and the account doesn’t get deleted.
LinkedIn and Twitter also use email password reset and things that happen here can affect your professional career, which is serious in a world where everything online is stored and available for future employers to search. Facebook? Well that would just be embarrassing really…unless of course you’re set up for in-Facebook purchases…
The Weak Link
Onto Apple. To reset your password with Apple’s tech support you need to provide the last 4 digits of your card number. Apple obviously reckon this is secure: a validation of you as a person.
Amazon consider it throwaway, non-sensitive information. Log into your Amazon account now, and choose Manage Your Payment Methods. Hmm.
So, what’s the big deal with having your Apple account hacked? Well, apart from the app and iTunes purchases (which you’ll probably be able to claim back), there’s this:
Obviously this works for iPads as well: a big deal for anyone with photos of their children, pets or other precious items.
There’s an even scarier prospect too, if you consider that anyone with access to your email and Amazon account definitely knows your home address, and just needs a way to know whether you own an iPad worth stealing, and when you’re not home:
This isn’t just theory by the way, this has happened.
2 Steps to Safety
So, what’s the answer? There’s no completely safe method, no silver bullet, but 2-step verification is a big step forward.
2-step works like this:
- You log in as normal, with username and password
- Before the login completes, a unique code is sent somewhere only you would have access to, such as a text message to your phone
- You type the code in and the login completes.
It’s a very similar method to the RSA keys used by larger organisations, where the password is made up of a random stream of numbers, which changes every 30 seconds and is kept by the user on a keyring:
Typically, once you’ve entered the code, the computer will remember you for 30 days or so, meaning that you won’t have to enter a new code every time you use that device.
This is a huge step forward: it means that not only do the Bad Guys need to get your username and password: they also need to be in receipt of one of your devices, which is much less likely. You’re also moving yourself further up the Tree of Low Hanging Fruit – you’re now just too much work to try and hack, and there’ll be plenty of other suckers who haven’t turned it on.
Turn it on
2-step is now being offered by several of the larger sites, and I’m sure more will come on-board soon. Here are the ones I know about:
Google – a must do: Go to your settings and complete the section titled 2-Step Verification
Facebook : Go to your settings and complete the section title Login Approvals
Apple: Go to My Apple ID and select Password and Security. Apple have a lockout window of 3-5 days between requesting 2-step and enabling it to allow them time to notify all your devices and email address (in case it wasn’t initiated by you)
Twitter: 2-step authentication is coming soon following a recent hack attack
Microsoft: coming soon
There are some other places that use it, such as Dropbox and WordPress and if you use these, you should definitely consider it. And if your email provider doesn’t offer it, demand they do, before it’s too late.