News of data breaches, hacked accounts, and stolen sensitive information has unfortunately become a daily occurance. Millions of users are left to wonder if their personal data has been compromised, or if they’ve become one of the latest victims of identity theft. For many, the answer is ‘yes’, marking the start of a long and tedious account recovery process.
With the rise of account takeovers, usernames and passwords just aren’t cutting it anymore. A static string of letters, numbers and symbols — no matter how complex or how often its changed — is one of the weakest (and easily forgotten) forms of account protection for hackers to bypass. The good news is that users now have improved options to secure their online accounts.
With increasingly widespread support for two-factor authentication (2FA) on websites and mobile apps, individuals are able to add an extra step to their account login process to provide a higher level of security (something you know, plus something you have). However, even as 2FA is becoming natively supported, there is still a gap in getting users to practice 2FA as part of their everyday routine. According to a recent study by Ponemon Research Institute, ‘The 2020 State of Password and Authentication Security Behaviors Report’, less than half of individuals (36%) use 2FA to protect their personal accounts.
Furthermore, in the same research, 76% of individuals who reported being a victim of an account takeover changed how they protected their accounts. Unfortunately by the time these changes were made, it was too late. From this data, we know that users should be proactively protecting their accounts to mitigate these attacks.
The first step of securing your online accounts is turning on 2FA. However, it’s important to note that not all 2FA options are created equal. A few of the most common 2FA methods include:
- SMS 2FA
One-time passwords are sent via SMS (text message) and once received, the code can be copied and pasted into an application. Because of phone number porting scams and SIM swapping, this method has a poor security rating.
- Authenticator Apps
An authenticator app such as Google Authenticator is downloaded to your mobile device, and once you scan a QR code in your account’s security settings, the app stores one-time codes that are only valid for a limited amount of time. Although this method is more secure than SMS, it still relies on a mobile device, which isn’t always available or convenient.
- Security Keys
A hardware security key is the most secure and convenient 2FA option. In fact, a recent Google study found that security keys were the only method to prevent account takeovers 100% of the time. Security keys, such as a YubiKey, require physical access to the device to log into an account, preventing sophisticated breaches and remote attacks. When prompted during login, you simply need to touch the device to verify your identity. Think of the security key as if it were a physical key to protect your digital world.
You can significantly improve your online security today by enabling 2FA. Check to see if your favorite applications and services offer 2FA. If so, turn it on and consider using a security key (where available) or authenticator app as a preferred method of protection. If 2FA is not available yet, or if SMS is the only 2FA option, consider reaching out to your service provider and let them know you’d like to see stronger 2FA options provided. Your voice is important in our journey towards a more secure internet.