Jerry Bailey asked “Is 2 factor authentication really more secure? How would a crook get around it? …I sometimes wonder if it is worth the bother.”
Two-step verification—also known as 2-factor authentication and login approvals—adds a significant layer of security to any Internet-based service. That’s why Google, Microsoft, Facebook, Twitter, and many other services use it.
[Have a tech question? As Answer Line transitions from Lincoln Spector to Josh Norem, you can still send your query to firstname.lastname@example.org.]
When you set up 2-step verification (2SV) on a website, you have to give an alternative way for the service to contact you—for instance, your cellphone number. Once set up, if you log onto the service on a new PC, browser, or device, entering your login name and password is just the first step. Once that’s done, the service will send you a unique code—for instance, sending a text—that allows you to log in.
You don’t have to use a cellphone. 2SV systems often provide additional contact options, such as email, a voice call, or a mobile app.
You can see how this provides greater protection. A hacker who has acquired your login name and password still can’t log on as you—unless they’ve also stolen your cellphone.
That provides a lot of protection, but there’s no such thing as perfect security. If a human brain can create a better lock, another human brain can find a way to pick it. After all, Michael Fagan broke into Buckingham Place and entered the Queen’s bedroom.
And yes, 2SV has been successfully hacked. In 2014, Dan Saltman discovered a way to bypass PayPal’s 2-step verification on an iPhone or iPad.
And just last month, political activist DeRay Mckesson lost control of his Twitter account. A hacker convinced Verizon that they were Mckesson, and thus successfully hijacked his phone number. Thus, when Twitter texted the code, the hacker received it. You can add extra security to protect yourself from this hack.
Despite these problems, you should stick with 2-step verification on any service that offers it. Your home is less secure than Fort Knox, but that doesn’t mean you should leave your door unlocked. The harder you make it for crooks to break into your private space, the more likely they’ll give up and try someone less vigilant.