Will Two-Factor Authentication Become the New Normal?
Many Banks and payment providers such as Visa and PayPal already either require or allow for the use of two-factor authentication. File-sharing service DropBox has announced a two-factor authentication process that will require subscribers to type in both a password and a code sent to their mobile phone, according to a Washington Post article.
One-factor authentication is typically something you know, like a password. Two-factor is something you know, plus something you are (such as a fingerprint or iris scan) or something you have. In this case, a six-digit passcode sent to your mobile phone means that your password would have to be compromised AND your mobile phone stolen.
From the DropBox Blog:
“Two-step verification is an optional but highly recommended security feature that adds an extra layer of protection to your Dropbox account,” Dropbox writes. “Once enabled, Dropbox will require a six-digit security code in addition to your password whenever you sign in to Dropbox or link a new computer, phone, or tablet.”
DropBox has had a number of security breaches in the recent past. In July of 2011, a "code update" allowed anyone with a DropBox account to log into any other account. In July of 2012, usernames and passwords stolen from other web services were used to compromise DropBox accounts. The same attack was used to hack 400,000 Yahoo! accounts this summer. After continual promises to do better, has finally made a change that might make a difference.
Google already offers what they call two-step verification, but some researchers, including Bruce Schneier, say two-factor authentication solves "problems we had ten years ago." A virus called the ZeuS Trojan has already been discovered that specifically targets bank tokens, effectively stealing the code from your mobile phone.
The lesson learned from all of these hacking events - use different, strong, passwords for each of your accounts, and turn on two-step verification when you can. Unfortunately, strong passwords remain our first line of defense in Internet transactions. Adding a second factor to that protection might not solve the problem, but it makes both hacking accounts, and logging into your own account, a bit more difficult.