Hardware Reference
In-Depth Information
Google Authenticator
& Two-Factor Authentication
Just about every day you look into technology news, you can find new articles talking about
stolen account information and security vulnerabilities. If all you use to log onto your most
critical accounts is a password, then anyone who manages to steal that with keyloggers
or fake online forms will be able to get into your accounts. You might trust the people in
your community but what if the attack is coming from who-knows-who overseas? One way
you can significantly increase your security is to use two-factor authentication. This usually
means that to log into your account that you need to put in your password and a randomly
generated code from the service that gets sent to your phone to log in. Sounds like a bit of a
pain right? Enter Google Authenticator. This app, while it can obviously be used for Google
services, can also link back to other services just by scanning the on screen QR code. While
working within Google Authenticator, all of your two-factor codes will automatically re-
fresh on screen with the server so you merely need to enter the code into your log in forms.
How is This Secure?
You enable two factor authentication by already being logged into your account and after
that you need a two-factor code to log in. As part of the process, the service will have you
register the refresh code with your mobile device so that you can log in. While you may be
able to register additional devices, no one can log into your account without both knowing
your password and physically having your mobile device. In some cases, you can save a
phone browser or a computer as being a trusted device where you no longer need to input
the code but of course that means reduced security with those specific devices and accounts.
You would expect that the loophole would be that people would use the 'can't log in' function
but those are generally stringent for two-factor authentication. With Google, for instance,
you can only get back into the account if you get access back into your phone, use a verified
computer as previously mentioned, use a backup code, use a backup phone, or work with
Google to verify your information in a process that takes a minimum of 2 days. With these
bases covered, it is almost impossible for people to get into your account without physically
rifling through your phone or your verified computers. Remember to set up a pin or pass-
word to unlock your phone too though since you don't want anyone to just pick it up and
have access to everything.
