Using Double Authentication for Website Security
March 30, 2016
Popular services are implementing two-factor authentication. You should, too.
Your password will never be enough
The best practice in password generation is to use a passphrase that is too long to be predictable, but also impossible to forget. The more complicated the password, the more bits of entropy are involved, which determines how long it will take to crack.
Password cracking has reached hobby status: enthusiasts are writing more efficient software and submerging their rigs in mineral oil to save on cooling costs. The field of password cracking grows with frequent password dumps released by vigilantes who infiltrate sites and publish their findings.
OpenID means you are the real you
There is a good chance that you and your website visitors have an account on Google+, Facebook or Twitter. Open authentication makes these networks issuers of Internet passports, which is useful if your firm’s site requires users to correctly identify themselves. Using a trusted third-party provider instead of creating a site-specific account is a quick way for users to comment or manage a basic client account without having to remember a registration.
Introduce an additional verification factor
To combat exploiters always finding new ways to learn passwords, the most solid approach to authentication involves two of three presentations: something you know; something you have; and something you are.
Passwords are something you know, but can also be known by someone else. Enterprise solutions have previously used keychain-code generators to match you to something you have, but mainstream app developers are now looking to mobile devices. Since your phone is likely in your possession, it’s the perfect way to generate a one-time code only you would possess. Something you are includes biometric data, like a fingerprint.
Companies that handle personal and corporate data are big targets for hackers, and many of them have already begun requiring two forms of verification. A few learned the hard way.
The worst-case scenario
About a year ago, Wired author Matt Honan had his entire digital life vandalized and all of his iDevices wiped when clever individuals recovered his password. The culprit daisy-chained information from multiple accounts, starting with Honan’s Amazon password, then his Apple ID, which lead to his Gmail account and ultimately his Twitter profile, which the hacker used to spread hate speech. It was an orchestrated attack that reverse-engineered information from the phone support of each of those companies. Two-step authentication would have rendered this scheme unsuccessful.
Safeguard your online accounts
To make your login remarkably difficult to fake, you need a few minutes and a cell phone with SMS capability (smartphone optional). Each provider labels it differently, but you want to look for a setting (online) that mentions adding an additional step to your login for security. The most common method of two-factor authentication is having a one-time code sent via text message or generated from a smartphone app. Only after you have entered your password and the code will you be able to access your account.
The Google Authenticator app, available on iTunes and Google Play, can generate codes for multiple accounts. Download and install the app, and connect it to your accounts by enabling double authentication at the account website, then indicating you would like to use Google Authenticator to generate codes. You will be given a QR code on screen to scan, containing the secret used to generate matching one-time codes. Once installed and activated, the next time you login to any connected accounts, you will be prompted to enter a code. Depending on the site, you’ll either get an SMS or have to open the app.
You need this on your site
If OpenID is your primary method of login, encourage users to enable two-factor authentication on their respective services. You don’t want four-factor authentication. However, if you manage your own users and collect sensitive data, double authentication is a must. The extra layer of security running in conjunction with the salted passwords of WordPress will eliminate unwanted logins.
Authy is a WordPress plugin that allows you to add two-factor authentication to any website. You can install Authy through your site’s dashboard and activate it by entering an Authy API Key (from their website) in the plugin settings. With Authy, you can let users opt-in to two-factor authentication, or you can force them to activate it. Authy is role-based, so you can determine who must use it given the level of access each user has to your site. With Authy, WordPress will force your clients to verify their identities before they are allowed into protected areas. Authy has a mobile app that subscribers can use to receive codes.
Passwords are used every day to grant access to documents and vital web-based services. In the increasing wave of data breaches, enabling two-step authentication across any site that supports it should be a top priority.