As cyber criminals continue to develop more elaborate tactics in an effort to steal your or your clients' personal information, a password alone is no longer enough to protect you. Fortunately, a number of web-based e-mail providers and other online services now offer something called multifactor authentication—one of the simplest and most effective ways to secure your data.
What Is Multifactor Authentication?
Rather than relying on a password alone, this feature asks users to provide two forms of identification to log in to an account.
The website typically sends a passcode to the account owner's mobile device; he or she must enter that code, along with the password, to access the account. The code helps ensure that only the account owner can sign in, not an impostor who has stolen the login information.
Commonwealth's Information Security team strongly recommends that all advisors enable this security feature for their own accounts and encourage their clients to do so as well, in addition to choosing a strong password. These two safeguards go a long way in helping to upgrade online security and protect important personal information.
How to Update Accounts
Many major online services and platforms offer multifactor authentication.
Gmail. When you activate Gmail's 2-Step Verification, you'll be prompted to enter a six-digit code sent to your mobile device, in addition to your username and password. You can elect for your computer to remember the code for 30 days, although when you use a different computer or device, you'll have to enter the code. After 30 days, you will receive a new code.
Yahoo! Mail. Yahoo! Mail's second sign-in verification adds another layer of protection to your account by authenticating suspicious login attempts. For instance, if you try to sign in from a computer you don't normally use, you'll either have to answer an account security question or enter a code sent to your mobile device.
Facebook. When you enable Facebook's Login Approvals, the site will ask you to enter a verification code if you try to access your account from a new computer or mobile device. Once you log in, you can save that computer or phone as a recognized device, so you won't have to enter a code the next time around.
LinkedIn. LinkedIn recently began offering two-step verification. When logging in from an unrecognized device for the first time, you must enter a security code sent to your phone.
Twitter. Another relative newcomer to the multifactor authentication bandwagon, Twitter unveiled login verification last spring. When you enroll, the site will ask you to enter a six-digit passcode sent to your phone each time you log in.
PayPal/eBay. PayPal's Security Key, which also works on eBay, protects your accounts by generating temporary security codes that you use to log in. You can either register your mobile phone to receive the security codes by text message or, for $30, order a credit-card-sized hardware token that creates security codes on the go.
LastPass. If you use LastPass to keep track of all your passwords, it's especially important to enable the Google Authenticator option to protect your account.
Outlook.com and Hotmail. Microsoft recently began offering two-step verification. When you register on a new device, an authentication code is sent to one of your alternate e-mail accounts, your mobile device, or the authenticator app on your smartphone.
Considering how easy these security features are to activate, I urge you to enable them as soon as possible—and to encourage your clients to do the same!
Additional Password Tips
Multifactor authentication is a vital safeguard, but it doesn't replace commonsense e-mail practices. Be sure to share the following tips with your clients—and implement them yourself:
- Update passwords frequently. I recommend creating an alert in an online calendar to do so every six to eight weeks.
- Update password recovery options frequently.
- Never open suspicious e-mails.
- Never provide personal, sensitive information via e-mail.
- If signs arise suggesting that an account has been hacked or tampered with, immediately change the account password, report the incident to the e-mail provider, and monitor all other online accounts diligently.
How do you discuss online security with your clients? Do you recommend any other password tips for clients? Share by commenting below.