Hari Om Prakash
is working as a scientist at Systems Engineering Group,
ADRIN, Department of Space
In the first part of this article, last month, we learnt what two-factor authentication (TFA) is and its three types. Now, let us see how we can activate TFA for various websites and applications.
As secure as TFA is, unfortunately till date, you cannot use it everywhere on the web. However, most websites have recently implemented it, especially banking-sector websites, Gmail, Facebook, Twitter, Dropbox, Microsoft products like XBox Live, OneDrive, Yahoo! Mail, Amazon web services, WordPress, DreamHost, LastPass, and many more.
In March 2013, Apple offered a consumer-oriented two-step authentication service to help customers secure their Apple IDs against hacking. This new feature disallows unauthorised changes to iCloud or iTunes accounts. It also disallows hackers, who steal Apple IDs, from purchasing digital content or hardware using credit card details stored in the customers’ iTunes and Apple Store accounts. Apple’s web services do not distribute tokens. Instead, they send pass codes (typically as SMSes) to users’ registered mobile phone numbers. Optional TFA sends the pass code to an iOS device (iPhone or iPad) via Find My iPhone app’s notification feature. Fig. 10 shows how you can enable TFA for Apple accounts—a screenshot from Apple’s TFA tutorial (Apple now offers optional TFA to lock-down iTunes, iCloud and Apple Store accounts).
Most users have a lot of data stored in their Google accounts, such as Gmail and Google drive, and it is obvious that they would definitely want to secure it by turning on TFA. Figs 11.1 through 11.3 show how to activate TFA for Google accounts.
In May 2013, Twitter introduced TFA to protect user accounts with a more sophisticated log-in system—a new login-verification feature where a user has to enter a six-digit pass code, in addition to the standard password. This pass code (second level) is used after a user has successfully entered the user name and password in the first level. To make sure that it is the same user who entered the first credentials, Twitter sends a six-digit pass code via an SMS to the user’s mobile phone. This feature can be activated from the user’s Account Settings page, where he or she can check the box for Require A Verification Code When I Sign-Up. The user then needs to enter his or her mobile phone number to use TFA (Figs 12.1 and 12.2).
TFA for Facebook can be activated under Settings to protect an account (Fig. 13). If a user has activated TFA successfully, Facebook sends a one-time pass code to his or her mobile phone. By entering the pass code, the user can prove that it is really he or she who is trying to log-in.
Microsoft has already added the option of TFA across its many online services, such as Windows 8/RT, Outlook, Skype, OneDrive, Windows phone and Xbox 360/Xbox LIVE. A user can enable this feature at https://account.live.com/proofs/Manage. After enabling this service, Microsoft stops millions of fraud attempts every day.
Fig. 14.1 shows how to activate TFA for Microsoft accounts.
There are two ways in which TFA can rear its head—a security code or an app password. If a user has enabled TFA, after logging-in with Microsoft account credentials (user name and password), you might be prompted to enter a security code or an app password. A security code is needed if a user is using a trusted PC to sign-in to Windows 8 with a Microsoft account. Microsoft will send an SMS that contains the pass code to the user’s mobile phone (Fig. 14.2). You must enter this pass code on the website or in Windows.
An app password is needed for those apps or devices that do not work with the security code system. For example, for Microsoft Outlook 2013 (Fig. 14.3), if you had previously configured Outlook for Hotmail or Outlook.com and then configured the underlying Microsoft account, the next time you use the application, you will be prompted to enter your credentials again. And you will need an app password because your normal password will not work.
You can get an app pass code in the security info section (https://account.live.com/proofs/Manage) on Microsoft account management website (https://account.live.com/) as shown in Fig. 14.4. Just click on Create A New App Password under App password. When you do that, you will be provided with an app password that you can type (or copy and paste) into the application.
Microsoft provides a mobile app called Authenticator that can generate these codes even where there is no network coverage (offline mode).
In the Authenticator app on a Windows phone, click on Add (+) App to add your account. Then, click Scan. The app will quickly scan the QR code, which is shown at step 3 in Fig. 14.5. Now, click Pair to complete the process. The app will generate a new pass code automatically after every 30 seconds. If you ever need to use a code to sign-in to your Microsoft account and the phone is offline, you can use this app to get the code.
Dropbox is a great source for storing data and sharing information across the Internet. An extra layer of security can be activated in Dropbox security settings, where a user has to register his or her mobile phone number to do so (Fig. 15).
Most of the popular mail websites, such as Yahoo! and Gmail, have already integrated TFA for accessing user accounts and their mailboxes. You can enable TFA in Yahoo! Mail by simply selecting Check This Box To Turn-On The Second Sign-In Verification as shown in Fig. 16. Once this is done, you can register your mobile phone number to get further pass codes from Yahoo! during the login process.
Amazon web services
If you use Amazon’s web services, such as Amazon S3 or Glacier storage, you can protect your accounts by enabling TFA via Google’s Authenticator app for Android, iOS, Windows Phone and BlackBerry (Fig. 17). This app can be downloaded on a mobile to access Amazon services securely.
If you are a blogger and do not want anyone getting unauthorised access to your account, the WordPress blogger website provides an extra layer of security. It also supports Google Authenticator app for Android, iOS, Windows Phone and BlackBerry. This feature can be activated in WordPress account settings as shown in Figs. 18.1 and 18.2.
In the concluding part of this article, next month, we will see how much does TFA cost, with an exhaustive list of the various tokens/services available.
To be concluded next month