A tech journalist learned a tough lesson recently. But using two-factor log-ons help guard your Google, Facebook, and Twitter accounts from being hijacked. If you haven’t read about Wired reporter Mat Honan’s ordeal at the hands of malicious hackers, take some time and read it now. (I’ll wait.) His story about how a passel of juvenile hackers managed to get into his Apple account and wipe all the data off his iPhone, iPad, and Mac— as well as hijack his Google, Twitter, and Amazon accounts – should be required reading for anyone who uses those services, and especially those of us who’ve blithely linked our social media accounts together using the same e-mail address. Honan didn’t do anything to tick those hackers off. He was targeted simply because they coveted his @mat Twitter handle. Which means that the same thing could happen to you or me just as easily, and we wouldn’t know we’d been jobbed until far too late.
One thing Honan notes with regret is his failure to turn on two-factor authentication for his Gmail account. If he’d done that, anyone who tried to access his e-mail would have also had to enter a six-digit PIN, which is randomly generated and sent via text message to his phone.
So your first order of business for today: Setting up two-factor authentication for Google. To do that, you’ll need to go into your Gmail Settings (it’s the icon that looks like a little gear in the upper right corner of your inbox). From there:
- Select Settings, then Accounts and Import.
- Under Change account settings select “Other Google Account settings”.
- That will take you to a Web page for your Accounts. Select Security from the left-hand menu. You may be prompted for your password again.
- Under “2-step verification” you’ll see “Status: OFF.” Click the Edit button next to that. That will take you to a Web page wizard that will walk you through the process of having a six-digit verification code sent to you via text or a robo-call.
Enter the code into the appropriate box, and you’re all set – for that device, anyway.
Admittedly, this is not as easy as simply using a password. You’ll have to do this for every device and every application that uses your Gmail logon, and every device and application doesn’t work exactly the same way. For example, I was able to log on to Gmail using a PIN on my desktop, laptop, and iPad, but not my Android tablet or Windows smartphone. For those, I had to set up separate one-time-use “subtokens” that look something like this: fztz dgpm oxfi uthb.
You’ll need to go back to the Accounts Security page and select the Edit button next to “Authorizing Applications and sites” to set up disposable passwords for each device and app. You can also use this tool to manage your list of trusted devices and applications, and revoke access to them at any time.
So that covers Google. What about Facebook? Here, too, you can beef up your security settings with two-factor authentication. This will prompt you to enter a similar SMS code whenever you log onto Facebook from a new device. The drill is remarkably similar:
- Go to your Facebook Account Settings page (found under the down arrow next to the Home tab).
- Select Security from the menu on the left.
- Under “Login Approvals” click edit and put a check in the box that appears (see below). You may have to adjust your browser settings to accommodate the cookie that Facebook wants to deposit.
- In the dialog box that appears, click “Set up now.” You may be prompted again for your Facebook password and to add your mobile phone number if you haven’t provided one already.
- Click Continue. If you’ve done this correctly you should receive a six-character PIN. Enter that and the name of your device into the dialog boxes that appear.
Like Google, this won’t work with every device or application Facebook supports (like the Xbox or Skype). So again you’ll have to generate a disposable app password, which you can do via the same Security Settings dialog box. If you have an android device, you can download a free Code Generator app that can produce usable passcodes without having to send you a text.
Twitter does not offer two-factor authentication at this time. But you can make it harder for attackers to reset your password by changing a setting in your profile that requires you to provide additional info, such as an e-mail address or phone number, when requesting a new password.
From your Twitter profile page, click Edit your profile. Then go into your Account settings, scroll to the bottom, and put a checkmark in the box next to “Require personal information to reset my password.”
The flaw in all of these schemes: If the attackers manage to get hold of your phone as well as your log-ons. Then, my friend, you’re totally screwed.
For more computing news, visit ITworld. Story copyright © 2011 ITworld Inc. All rights reserved.