Is two-factor authentication worth the potential headache?
Dropbox is the newest service to offer an extra layer of sign-in security. Is two-factor authentication worth the dork factor?
You might know by now, or at least have heard about, how hard Mat Honan got hacked. All his devices, his email, his photos, all his social accounts—all gone, in large part because Amazon and Apple let him down. Immediately after his sci-fi-level erasure, the more helpful aspects of the web came out to suggest that you, the next potential target, do a few things to improve your security with remote services. Chief among them? Turn on two-factor authentication for your Google account, and any other service that offers two-factor security.
As it relates to your Google account, two-factor authentication is an extra step in logging into your account from a device you haven’t logged in with before. After the usual email/password entry, you’ll also be asked to enter a code generated by Google for you, which only you can see in a secure smartphone app, over text message, or from a list of pre-generated codes you’re supposed to print and keep in your wallet. Google’s smartphone app for handling two-step codes, Authenticator, isn’t exclusive to Google accounts. You can use Authenticator to add another security layer to LastPass and, just recently and in an early test, online storage service Dropbox. Once you authenticate with the app, the device or browser you’re logging in through is given the green light for about 30 days of access.
Google’s Authenticator is just one form of two-factor authentication, however. It’s called two-factor because it requires someone attempting to enter an account to have at least two of three security factors: knowledge, or “something you know,” possession (“something you have”), and/or inherence (“something you are”). That might seem complex, but you’ve been using two-factor authentication at ATMs for years: your bank card is something you have, and your PIN is something you know. Spy thrillers use all three factors to show how valuable the thing in the vault is, as officials enter a PIN, swipe a card, and have their “inherence” factor proven with eyeball or fingerprint scanners.
In terms of preventing attacks, two-factor authentication is only as serious as the user enabling it. If you allow your phone to be unlocked without a passcode or phrase, then the Google Authenticator app is available to whomever has your phone, who then also knows your Gmail address. If you don’t have a password set up on your laptop, then your already authenticated browsers and email clients are open, too.
There are tricks that can break past your security, like a version of the “man-in-the-middle attack”. There are tricks that let you defeat hackers, even if you lapse in your security, such as remotely signing out of Google sessions (and in Dropbox, in your Security settings). There are, like in all security matters, voices on both sides declaring whatever steps you take as not enough or as tinfoil-hatted nuttery.
I’ve been using Google’s Authenticator app and two-step security with Google and LastPass for more than a year, and I’ve just enabled Dropbox two-factor authentication. When I am not messing with things, it is quite tolerable. Using just one browser to access typical Google services, using the usual Google services on an Android phone, occasionally signing in on somebody else’s computer. It’s when I start acting like a tech writer that I start to feel the friction. Using different browsers is quirky. Using desktop apps that pull from services like Google Music is more painful, because you have to generate application-specific passwords. Installing new Android apps that want access to Google is very quirky, requiring signing in and copying the Authenticator code before it hits the 60-second change-up. And if you need to wipe or trade in your smartphone, it’s a bit of a tango to end up at the right place again.
All that is to say, I think any "plain vanilla" user of Google, Dropbox, or LastPass should enable two-factor authentication, and be glad that the service holding some of your most sensitive stuff wants to occasionally check in with that something you have, ATM-style. More to the point, you can turn it off if it really ruins the internet for you. But, please: as soon as you activate that two-factor tool, consider the big picture of how people can get into your accounts, either when they’re in front of one of your devices or on the other side of the world. And back up your stuff online, sure, but also keep a local backup of everything, just in case.