As we move forward in the digital age, security is more prominent than ever. Users now have a lot of utilities and services that they can utilize to store all sorts of data and information in the cloud. That’s a good thing to be sure. However, having that data stolen or accessed by unauthorized personnel is not. If you’re already wondering by now, yes, this will be yet another article on passwords. But that’s not the entirety of it. In the midst of so much scrutiny, we’ll take a look at how to better protect our Gmail accounts from unauthorized access. If you’ve been keeping up with the news lately, some of Gmail’s personal email accounts of high profile personnel has been hacked. They are claiming that Google is to blame here but what mainly happened from my understanding is that the users were actually “duped” into providing their own username and passwords to the attackers by what is known as a phishing scheme. Because phishing attacks can happen to anyone, it’s hard to prevent as it relies on social engineering. If you received an email one day from what looks like to be from the FBI claiming that they caught you downloading illegal Mp3 files and that you have 3 days to email them back the attached document or risk facing jail time, what would you do? Well, a guilty individual and one that isn’t aware of these types of scam will undoubtedly download and open the attached file. Once they do so, their computer is compromised. This is similar to what happened with the recent Gmail attacks. The exact scenario is most likely different but the outcome was the same. The attackers tricked the users into handing over their Gmail credentials by using a fake login page.
So how is the above attack possible? Think about how you log in to your own Gmail or other email accounts. What is the normal procedure? Well, you first type in the website’s homepage in which you will be greeted with the familiar welcome page. You then provide your username and your password. You are then logged into your account. That’s it! We’ve been doing this procedure for years now so where is the problem? The problem lies in the authentication area. The only information preventing me from logging into your email account is the password. Obviously, right? Well, this has to stop. Using passwords solely as the authentication method is no longer reliable. It worked well in the past because we haven’t seen cyber attacks like we are today. Information and data is the key to everything and that means the bad buys will do all they can to get it. In the above scenario, even if the user had a strong password consisting of 14 or more characters, it wouldn’t mean a thing if they willingly give it away! What needs to be done immediately is providing the option for users to use an additional form of authentication in addition to a password. Yes, you read right. I said “in addition”, not “as a replacement”. Hence, we come to multi-factor authentication.
Multi-factor authentication, once enabled, requires a user to provide a second piece of information in addition to their original password before being allowed access. The password is something a user knows and should be secret. However, we all know that’s never the case anymore. So what about also including a piece of information that only the user is in possession of? For example, what if a special user code (say a 3-4 letter word) was sent to the user’s cell phone every time he/she wishes to log in? Because it is much harder for a bad guy to have in his or her possession the victim’s cell phone, they will never receive this special code and therefore will not be able to log in even if the victim willingly gave over their password. Look back at the Gmail incident and you can clearly see how this simple multi-factor authentication system would have prevented the accounts from being compromised. Sure, the attacker now has the victim’s password (which may also be used for other services but that’s the not the point here) but it’s not really put to much use. Gmail actually have a multi-factor authentication system in place but it’s so sad that not much promotion is being done on behalf of it. So, in an effort to secure our email accounts, we’re going to enable this feature and see how much more secure we can be.
Enabling Multi-Factor Authentication in Gmail
Enabling Gmail’s 2-Step Verification feature is simple, provided that you understand how it works beforehand! Google has a Youtube video that pretty much explains the entire process better than I can with words. It’s easy to understand and follow so I won’t be going over all the steps here.
As for backups, Gmail will present you 10 generated verification codes that you can print out and store in your wallet. This serves as a backup should your phone is not present when you want to log in to your account. These can be considered one time passwords in that once they are used, they can no longer be used again. Another backup option is to include a second telephone number. This again helps should you find yourself locked out of your account. This can be your home phone or a phone number of a trusted relative or friend.I think it’s quite easy to recognize when your account has been compromised. If all of a sudden you received a text or voice message from Google giving you your the verification number when you haven’t attempted to log in, then someone must have access to your password and is actively trying to get in. Gmail will only send the verification number once you have successfully entered in your password. Luckily, you have multi-factor authentication enabled so the attacker is stumped in his tracks. However, you’ll still want to at least change your password and think about how your password was compromised in the first place.
In the End..
If you take security seriously, you’ll definitely want to enable this multi-factor authentication system for your Gmail account. I hope that in the near future, all email and pretty much all other services that store our important data give us two factor authentication. However, I don’t want you to believe that this is a fool proof solution to a widespread problem. Just because you have enabled this feature doesn’t mean that security now takes a back seat. We still have to do our part and make sure that our data is as secured as can be as well. If you’re an average Joe like me, you don’t really have to worry about targeted attacks. I really doubt an attacker would go through the trouble just to find out what I bought from Amazon and eBay this month. However, if you are of relative importance to your company, you might be a victim of a targeted and planned attack. The attackers only need to gain access to your phone for a split moment to get that verification code (provided they already know your password) so a simple distraction is all it takes. Because your phone is now a security factor, you’ll want to take extra pre-caution as to who have access to it.
With that being said though, you can’t deny that mult-factor authentication is a huge step forward towards locking down our most important accounts online. Heck, even our computers need multi-factor authentication going into the near future. Governments and other organizations deploy smart cards for employees while the consumer sector gets fingerprint readers to use as an authentication method. It’s no jokes people. Passwords are becoming useless as our sole authenticator. In fact, armed with a strong graphics card, just about anyone can crack thousands if not millions of passwords per second on a home computer! Companies that hosts crucial customer data need to move away from the password only model and start deploying some sort of multi-factor authentication. Support for Yubikeys by top companies in the world, for example, would absolutely be a huge step towards preventing unauthorized access.