If the Heartbleed security threat teaches us anything, it's that passwords don't offer total protection. Browsers are supposed to keep passwords and other sensitive data safe, but a technical flaw in a widely used padlock security technology allows hackers to grab the information anyway. Even without this latest discovery, there have been countless disclosures of hackers breaking in to grab usernames and passwords, plus credit card numbers and more.
That's why many security experts recommend a second layer of authentication -- typically in the form of a numeric code sent as a text message. If you're logging in to a website from your laptop, for example, you enter your password first. Then you type in the code you receive via text to verify that it's really you and not a hacker.
I've been using what's known as two-factor authentication or two-step verification on most of my accounts for more than a year, after seeing too many mysterious attempts to reset my Facebook password by someone who isn't me. The main exception was Gmail, but I enabled that recently after the discovery of Heartbleed. I was afraid the second authentication would be a pain to use, but things are going more smoothly than I expected after the initial setup.
The idea behind these double-layer passwords is to make it harder to use a password that's compromised or guessed. You're asked for a second piece of information that only you are supposed to know.
To balance security and convenience, you can typically bypass this check the next time you use the same Web browser or device. It won't help if someone steals your laptop, but it'll prevent others from using your password on their machines. If you're logging in at a library or other public computer, remember to reject the option to bypass that check next time.
The second piece of authentication could be your fingerprint or retina scan, though such biometric IDs are rarely used for consumer services. Financial services typically ask for a security question, such as the name of your childhood pet, the first time you use a particular Web browser or device. That's better than nothing, though answers can sometimes be guessed or looked up. Some banks offer verification codes by text messaging, too.
I like that approach and use it for a variety of email and social networking services. To me, email accounts are the most sensitive because email can be used to reset passwords elsewhere. That includes my banks and shopping sites. (continued...)
© 2014 Associated Press under contract with NewsEdge. All rights reserved.
Posted: 2014-04-25 @ 2:39pm PT
Two-steps verification, how smart they are, those securities experts and those websites! What kind of disaster will it take for them to take responsibility? What is described as two-step verification existed already back in the eighties on many telebanking (the precursor of internet banking) sites in Switzerland. Back then it was a sequential list of single-use numbers on a piece of paper, and it worked perfectly well. No need for fingerprints or text messages.