Use stronger authentication, urge White House and tech companies

library
crime | hacking | security

If half a billion passwords dragged out of Yahoo isn’t enough to convince us that we need more than passwords to secure our online stuff, perhaps a dancing banana will do the trick.

That animation comes out of a new effort to get us to use stronger authentication.

The campaign, called Lock Down Your Login, is a result of a call from the White House in February, when President Obama asked Americans to please use two-factor authentication (2FA).

For the Lock Down Your Login campaign, the White House teamed up with the National Cyber Security Alliance and companies such as Mozilla, Twitter, Google, Visa, Mastercard and Wells Fargo.

The goal is to educate people on how to set up strong authentication on all their online accounts, be they social media, email or banking accounts.

According to a National Cyber Security Alliance (NCSA) survey from July, 72% of Americans think their accounts are secure with only usernames and passwords.

That’s clearly wrong: we hear about new password breaches all the time. Recently discovered breaches, besides Yahoo, include Tumblr (65 million user email addresses and passwords), 164 million LinkedIn passwords, and 427 million passwords from MySpace.

Michael Kaiser, executive director of the NCSA, told CNET that the Yahoo breach was particularly concerning, given that email accounts often contain “crown jewels,” such as passwords to our other accounts, along with a wealth of personal information about us.

That personal information is gold to identity thieves. According to the NCSA, identity fraud hits a new victim every 2 seconds.

Clearly, passwords alone aren’t cutting it. From the campaign’s site:

Your usernames and passwords are not enough to keep your accounts secure. You have enough to worry about, so what can you do about it?

What you can do about it is use strong authentication – what’s also called multifactor authentication, 2FA or two-step verification (2SV) – to make it that much harder for somebody to get into your accounts if they manage to steal or guess your password.

2FA works by requiring that you prove that you’re you by using two different ways to authenticate before you can log in or use a service.

That often means using not just a password, but also something like a one-time code generated by your phone or another device, or perhaps a fingerprint, or…

But wait! Why clunk it up with boring explanations? Instead, let’s turn to the dancing banana.

Everybody, sing!

Use your fingerprint, your face or a code
At home or work or on the road
Two-steps is safer than one (or three! or four!)
And keeping data safe is so much fun!

Chorus:
Authenticate, (strong) authenticate!
Make your logins extra safe
Protect your identity from tragic fate,
Authenticate, strong authenticate!

Bear in mind that receiving text messages with a one-time code may be a great way to secure your accounts, but it’s not infallible. The authentication can be foiled if somebody steals or finds the phone, or the SMS may be hijacked by a VoIP service.

We saw Black Lives Matter activist and politician DeRay Mckesson fall victim to a Twitter hijacking in June – an account takeover that happened in spite of Mckesson using 2FA.

In July, the US National Institute for Standards and Technology put out draft guidelines stating that SMS isn’t strong enough for authentication purposes and will soon be banned.

Still, SMS-based 2FA is better than just using a password and user name, Kaiser told CNET, referencing the organization’s advice following the Yahoo breach: