Two-factor authentication is in the spotlight again after the Twitter accounts for three CBS brands -- 60 Minutes, 48 Hours and a Denver news affiliate -- were hijacked and later suspended this weekend.
The episodes add to a long list of media outlets and big companies that have been compromised in recent months.
So why don’t more people use two-factor authentication, a more demanding method of accessing an account than a password-only process? The answer: Laziness or friction, depending on how you want to think of it.
In enterprises, two-factor relies on hardware tokens that generate passcodes that are valid for just moments and must be entered along with the usual password. Consumer Web services such as Google or Facebook will send a one-time unique passcode to a user’s mobile device, either as a text message or in Apple’s case, to an iPhone or iPad via the Find My iPhone app's notification feature. Without that code, you can’t login.
The hackers in the CBS case appear to have political motivations, tweeting things like “The American people must stop their government, before the whole world is destroyed,” as well as claims that “the Syrian army fights for all humanity” and a suggestion that the Boston bombers are professionals under U.S. government protection.
The latest incidents aren’t isolated.
In recent months hackers also took over the Twitter accounts of Burger King, Jeep and MTV. Yet a simple thing could make a hacker’s job much more difficult --two-factor authentication.
Even though Twitter itself has been rumored to be working on offering its users two-factor authentication, you’re still going to see incidents like the ones currently plaguing CBS. That’s because even the tiniest bit of friction is enough to deter people from using extra security.
Think of it this way -- everybody knows (or should know) that you should never use the same password for more than one account. In addition, all these unique passwords need to be long, include special characters and completely random so that a bad guy can’t guess them.
Something like 472vY!5@0ndw33k3nd might be a good example. Of course, that can be hard for the user to remember, and it isn’t a good idea to write down passwords because you could lose them and they could end up in the wrong hands.
You can use a password manager such as LastPass to store all the dozens of impossible-to-memorize passwords it takes to keep all your accounts safe, but even then, it takes work. Every time you want to login to Mint, or your email, or your bank or Twitter or anywhere, it involves taking the extra five seconds to retrieve your password -- which you’d think would be time well spent, but when you multiply that five seconds with all of the many accounts you need to access in a day, it can feel like a lot of extra steps for what may seem like a phantom threat that may never materialize.
Two-factor authentication is the same kind of thing.
Want to log-in to Dropbox? Ideally, you’ll dig up that unique password from your password manager, then you’ll pick up your phone and wait to receive a code via text or an app. It’s a really smart thing to do if you want to keep your stuff safe.
Yet for too many people, it’s just too much work and for that reason you’re going to keep seeing accounts like the ones involving CBS get hacked.
At the very least, anyone who’s too lazy to use two-factor authentication needs to get a handle on how to create a strong password.
And remember to never ever do something such as log in to a website using a password you use on another site. That’s one way employees of companies such as CBS give up the keys to the kingdom.
For even more password creation tips, check out Password Management: Idiot-Proof Tips.