Center For Practice Management, Security

Is a Password Enough To Keep Your Sensitive Information Safe?

By Catherine Sanders Reach

Are you using two factor authentication? You should be! Passwords alone are not enough anymore to thwart motivated hackers from accessing your accounts, whether by a keystroke logger infection on your computer or a data breach of the systems you use every day online. Two factor authentication, or two step verification, adds strength to your passwords by using something you know (your password) and something you have. The “something you have” is often a code sent separately to a mobile phone via text. Without the code you will not be able to login to an online account on a device you have not previously trusted. Ostensibly it would also thwart anyone who had your password as well. You can turn on two factor authentication in most online accounts by going into your privacy and security settings.

Recently it has become apparent that it is possible for a hacker to take steps to intercept the SMS code if they can access your phone, often accomplished by convincing your provider that you have a new phone and to activate it, or other technical means that exploit flaws in the 2FA systems.

A more impenetrable way to use two factor authentication is to use a physical device (something you have) instead of a code sent through SMS. Market leaders include YubiKey, Feitian MultiPass, NitroKey, and OnlyKey. Tech companies such as Google and Facebook now use YubiKey. The devices work with computers by requiring a USB fob or for phones using the phone’s NFC (near field communication) signal, which is available on Android devices and iOS 11. Simply insert or tap the fob to provide a second factor of authentication to thwart the potential failures of the SMS code. These devices range from $20 – $60 individually and are available for deployment for a firm.

To protect sensitive information held in online accounts consider ways to reduce exposure from password exploits and add another layer of security through two-factor authentication.

Catherine Sanders Reach is director of the NCBA’s Center for Practice Management.