A new website has been created, urging more services to offer two-factor authentication.
The good news is that more and more websites are integrating two-factor authentication (2FA), offering their users a higher level of protection over their accounts. But there’s clearly more who need to jump on the bus.
A well-implemented two-factor authentication system means that it’s no longer the case that the only barrier between your online account and a hacker is whether they can determine your username (which is often just your email address) and password.
In many cases websites offering 2FA will send a short SMS message to your phone when you try to log in, or perform an action which requires an additional security check. In other cases, the website might ask you to check an app on your smartphone or a tag on your keyring where a one-time password is displayed which changes every 30 seconds or so.
Because the hackers (hopefully) don’t have their paws on your phone or keyring they won’t be able to break into your account with just your username and password.
This doesn’t mean your accounts are impregnable of course, but two-factor authentication (also sometimes known as two-step verification or multi-factor authentication) is a much higher level of protection than that offered for accounts which don’t offer it.
It seems every week there are new websites allowing users to protect their accounts with two-factor authentication. Just earlier this week, for instance, Tumblr boosted security for its users comparing 2FA to “how you need two keys to launch a nuclear missile”.
I was lucky enough to stumble across the twofactorauth.org website which offers a helpful list of websites offering 2FA, how they have implemented 2FA (for instance, whether it is done via SMS or commonly-used systems like Google Authenticator), and – interestingly – what websites *haven’t* implemented the security system yet.
The site’s creator, Josh Davis, said in a blog post that he created the site after he heard the worrying story of how Naoki Hiroshima had his ultra-short-and-desirable @N Twitter user account hijacked.
Although I don’t own a rare Twitter handle, it was scary to think about how the extortion of Naoki Hiroshima was possible just because of a lost domain name.
Although GoDaddy does support two factor auth, if Naoki hadn’t been using it for PayPal, his PayPal account would have been compromised as well.
I did a Google search for a list of sites with two factor auth and the results were pretty dissatisfying. The first result was a website with a huge list of sites that was barely usable.
This gave me an idea for my next mini-project.
Presently the site includes details about over 150 websites, including social networks, online banks, file-sharing services and many more, and has made it easy to submit details of other sites if you would like them to be added.
Let’s hope the site encourages more websites to integrate two-factor authentication, and raises awareness of the additional security users can enable to better protect their accounts.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.