Ed set up two-factor authentication on his Mac. But it when he logs into his Apple account, it sends the two-factor authentication code to his Mac. How can that be secure? Leo says it isn't. Apple's idea of two-factor authentication is kind of interesting. The argument is, if he has the password, and he controls the hardware the two-factor code is sent to, then there's a good chance that he is who he says he is. But it would be much better to send it to the smartphone.
Leo has talked a lot on the Tech Guy show about using two factor authentication wherever possible to ensure the security of your online accounts. Two factor authentication requires more than just a 1 factor to login. This could include two of the following: something you are (such as biometrics like fingerprints or iris scans), something you know (a password), or something you have (a smartphone or hardware key). This could be called many things, including “Two-Step Verification” and “Two-Factor Authentication” depending on the site.
If you've had your email account hacked, then it may be time to take further security measures to keep it from happening in the future. Here are some simple steps you can take right now to better secure your account:
- Change your account password
After the recent iCloud security breach that released private celebrity photos, you may be wondering what you can do to protect your data in the cloud. Apple has released a statement saying that it was not a failure of iCloud or Find My iPhone that resulted in these photos getting out -- it was a deliberate and targeted attack. That being said, here are a few ways you can keep your data more secure online:
Use Strong Passwords
Carneg uses Apple Mail to download Gmail onto his computer, and he recently got an email from Google that someone was trying to access his account. So he tried to changed his password, but it won't let him.
Leo says that Google has a great feature at the bottom of the GMail page that would allow him to check out who's trying to log into his account and the device being used. Leo advises turning on second factor authentication, and to tie his gmail to his cellphone so that in order to change the password, he'd have to get a text or phone call to his phone.
Apple has had a lot of security issues as of late, one of them relating to its Apple ID "forgot password" system. It was possible for anyone to gain access to another user's account simply by knowing their email address and birthday. This lead to Apple taking down iforgot.apple.com until just recently.
All authenticators are doing the same thing. It's a time-based, one-time use pass code. There's no data going back and forth between the authenticator app and Google, they are just both using the same algorithm to generate the code based on the time of day. Since no one knows that algorithm, it's not possible to figure out that code. They use a "one-way hashing" technique to do this. Just because the user has the 6-digit result on the authenticator does not mean anyone could go backwards to figure out what the key is.