Thursday, July 6, 2017

Improving Two-Level Authentication

Mix up your security answers to increase security.

Multi-level authentication is rapidly taking over the Internet.   One reason I am less than keen on Fidelity is that their security basically sucks.   To log into your Fidelity account, you need only use a username and a password that is just a number.   No combination of letters and punctuation, upper and lower case.  And as far as I can tell, no second level of authentication with challenge questions, e-mailed or texted codes or whatnot.   Seems pretty thin to me.

Bank of America has a "safepass" which is either a code texted to your phone, or a number generated on a "safepass" card, which looks like a credit card with an LED display.  You press a button and it generates a number.    Some credit cards are using this for the CVV2 security code number these days - your security code changes from transaction to transaction.   Of course, if someone steals your cell phone (and has the passcode), safepass card, or physical credit card, they have access to these security codes.

Security questions are another layer.  "What is your Mother's Maiden Name?"  or "What was the name of your first boyfriend/girlfriend?"  or "In what city did you get your first job?" are all the kind of questions that they may ask you.   The problem is, of course, that someone can go on Facebook or LinkedIn and get all this information, as people willingly post it.  Even questions like "What is your favorite song?" can be scraped from Facebook and other social media sites.

One way to mix it up is to use a completely nonsense answer that only you would know.   My Mother's Maiden name was Donald Trump.   Or my Favorite Song is Wheaties.   The city I got my first job was Purgatory.   Things of that nature (and no, none of these are actual responses I use).

Your mother's real maiden name can be scraped from an obituary, or sites like MyLife, which scrapes the web for personal information.   And it is frightening how much personal information you can get off the web about anyone.   Questions that "only you know the answer to" such as "what is your favorite vacation destination?" might actually be easy to find on your Facebook page ("Whoo-hoo!  Here we are in Aruba!  My fav vacation destination!").

No matter how many additional levels of security we add to the Internet, thieves will find new ways to break in.   Even fingerprint ID has its faults - someone could cut off your finger to get access to your electronic devices.   And yes, you will read about this happening, in the not-too-distant future.   Some people are ruthless, when it comes to thieving.