Using Double Authentication for Website Security

BY Justin Torres

Security vulnerability infected websites


Popular services are implementing two-factor authentication. You should, too.

Your password will never be enough
The best practice in password generation is to use a passphrase that is too long to be predictable, but also impossible to forget. The more complicated the password, the more bits of entropy are involved, which determines how long it will take to crack.

Password cracking has reached hobby status: enthusiasts are writing more efficient software and submerging their rigs in mineral oil to save on cooling costs. The field of password cracking grows with frequent password dumps released by vigilantes who infiltrate sites and publish their findings.

OpenID means you are the real you
There is a good chance that you and your website visitors have an account on Google+, Facebook or Twitter. Open authentication makes these networks issuers of Internet passports, which is useful if your firm’s site requires users to correctly identify themselves. Using a trusted third-party provider instead of creating a site-specific account is a quick way for users to comment or manage a basic client account without having to remember a registration.

Introduce an additional verification factor
To combat exploiters always finding new ways to learn passwords, the most solid approach to authentication involves two of three presentations: something you know; something you have; and something you are.

Passwords are something you know, but can also be known by someone else. Enterprise solutions have previously used keychain-code generators to match you to something you have, but mainstream app developers are now looking to mobile devices. Since your phone is likely in your possession, it’s the perfect way to generate a one-time code only you would possess. Something you are includes biometric data, like a fingerprint.

Companies that handle personal and corporate data are big targets for hackers, and many of them have already begun requiring two forms of verification. A few learned the hard way.

The worst-case scenario
About a year ago, Wired author Matt Honan had his entire digital life vandalized and all of his iDevices wiped when clever individuals recovered his password. The culprit daisy-chained information from multiple accounts, starting with Honan’s Amazon password, then his Apple ID, which lead to his Gmail account and ultimately his Twitter profile, which the hacker used to spread hate speech. It was an orchestrated attack that reverse-engineered information from the phone support of each of those companies. Two-step authentication would have rendered this scheme unsuccessful.

Safeguard your online accounts
To make your login remarkably difficult to fake, you need a few minutes and a cell phone with SMS capability (smartphone optional). Each provider labels it differently, but you want to look for a setting (online) that mentions adding an additional step to your login for security. The most common method of two-factor authentication is having a one-time code sent via text message or generated from a smartphone app. Only after you have entered your password and the code will you be able to access your account.

The Google Authenticator app, available on iTunes and Google Play, can generate codes for multiple accounts. Download and install the app, and connect it to your accounts by enabling double authentication at the account website, then indicating you would like to use Google Authenticator to generate codes. You will be given a QR code on screen to scan, containing the secret used to generate matching one-time codes. Once installed and activated, the next time you login to any connected accounts, you will be prompted to enter a code. Depending on the site, you’ll either get an SMS or have to open the app.

You need this on your site
If OpenID is your primary method of login, encourage users to enable two-factor authentication on their respective services. You don’t want four-factor authentication. However, if you manage your own users and collect sensitive data, double authentication is a must. The extra layer of security running in conjunction with the salted passwords of WordPress will eliminate unwanted logins.

Authy is a WordPress plugin that allows you to add two-factor authentication to any website. You can install Authy through your site’s dashboard and activate it by entering an Authy API Key (from their website) in the plugin settings. With Authy, you can let users opt-in to two-factor authentication, or you can force them to activate it. Authy is role-based, so you can determine who must use it given the level of access each user has to your site. With Authy, WordPress will force your clients to verify their identities before they are allowed into protected areas. Authy has a mobile app that subscribers can use to receive codes.

Passwords are used every day to grant access to documents and vital web-based services. In the increasing wave of data breaches, enabling two-step authentication across any site that supports it should be a top priority.

Justin Torres

Justin Torres is a staff contributor to Bigger Law Firm Magazine, Chief Programming Engineer with Adviatech, and oversees all of the company's security protocols.


WordPress Plugins for Law Firms

Supercharge Your Law Firm’s Website: 5 Must-Have WordPress Plugins!

Are you looking to maximize your law firm’s website’s potential? You’re in the right place. WordPress offers a wealth of plugins that can improve your website’s functionality, from search engine optimization to online event scheduling. Here are five must-have plugins for law firms: Gravity Forms – Communication is key when it comes to your law…

Security vulnerability infected websites

WordPress Security Breach Used Vulnerabilities in Plugins in Themes

Over one million WordPress websites have been infected by a malware campaign called Balada Injector since 2017, according to cybersecurity firm GoDaddy’s Sucuri. The attackers behind the campaign use all known and recently discovered vulnerabilities in WordPress themes and plugins to breach sites. They typically play out their attacks in waves once every few weeks,…

Law firm partner learning about SEO

How to talk to the partners about SEO

As a law firm marketing director, you understand the importance of SEO in driving traffic to your website and generating leads for your firm. However, convincing the partners of your law firm to invest in SEO can be a daunting task, particularly if they do not understand its benefits. Here are some tips on how…