As we enjoy all the conveniences of the online world to make communication and access to information as easy as the literal push of a button, so comes the dramatic rise in digital crime and internet fraud. Just as you keep your wallet, purse and keys in a safe place, you equate similar importance with your online security usernames and passwords. Protection of your information, and for attorneys, the information of your clients, starts with online security.
As more and more people use password tools to create and keep far more complicated passwords, the first layer of online protection has improved. Nevertheless, should such passwords be hacked or discovered by another (e.g. leaving that sticky note next to your computer, you know who you are), that first line of defense was your only line of defense. That’s why two-factor authentication is a must have whenever possible.
What Is Two-Factor Authentication?
Two-factor authentication aka 2FA aka two-step authentication goes beyond your traditional username and password log-in procedure to access various websites, apps, or other internet-based portals. The single factor authenticating (SFA) of your account log-in information is typically just your password, whether a complicated string of random letters, numbers, and/or symbols, or the name of your first pet (hopefully not the later). Two-factor authentication provides an additional layer of security, making it much harder for online criminals to gain access to online accounts or devices.
There are various authentication check methods to combine with the use of a password alone. The type of verification for the second line of defense will likely vary with the type of system or account to be accessed. In general, the various second level authentication factors include:
- Knowledge Factors – This might be a second password to be entered, including a PIN or by answering a question or set of questions known to the user alone.
- Possession Factors – The user might receive a passcode sent to a separate device, commonly a cell phone, which only the authorized user should possess. Other examples of a possession controlled factors are USB security tokens or fobs that must be plugged into the device, an RFID card, and even GPS locating.
- Biometric Factors – This could be referred to as “true possession factors” as it involves using personal attributes of the user to authenticate, such as fingerprints or speech. Look for this authentication technique to expand to include biometrics from facial recognition and retina scans.
How Does Two-Factor Authentication Work?
For the purposes of this blog post, I’m going to focus on the commonly used SMS (a form of text messaging) method of second factor authentication. After the username and password are correctly entered – the first authentication factor – the second factor often is sent to you by a method of your selection such as via a cell number or email address already attributed to the account, or it will automatically be sent via SMS.
Within seconds you should receive a numerical code that you’ll then need to enter to complete the login process to your account. This sent 2FA code is a one-time use password and often expires quickly if not used, unlike a static, reoccurring PIN you may have for your debit card for example.
Alternatively, you can use a dedicated authentication app for a little added security and to avoid having to rely on your wireless carrier as the intermediary. These apps, such as Google Authenticator, Authy and Duo Mobile, receive codes instead of having them texted to you. You simply confirm with the app that you are currently logging into that account and the app communicates back to the account to complete the login without you having to enter any codes. Easy!
How Do I Start Using Two-Factor Authentication?
Visit Two Factor Auth (2FA) to find out which online services (from banking to government) use two-factor authentication and how to active it. Here are a few popular websites and how to activate 2FA on these account types:
- Sign-in to your Google account;
- Visit Google here and click the blue Get Started button;
- Setup your cell phone number and indicate whether you want to receive codes by text or call;
- Enter the test code Google sends you;
- Click the “TURN ON” to complete the setup.
Google allows you to create printable one-time passcodes to use as backups when you’re away from your phone, like when you’re traveling. Also, you may add a backup phone number and set up Google’s Authenticator app.
On your iPhone or iPad:
- With your Apple ID password ready, go to Settings > iCloud, and select your Apple ID (likely your photo and name at the top);
- Select Password & Securityand then Two-Factor Authentication to turn it on and verify the cell number.
- Sign-in to your Dropbox account;
- Click your name at top right and select Settings;
- Select the Security tab under your Account Settings;
- Select the “click to enable” link under Two-step verification;
- Click the blue “Get started” button in the pop-up screen and re-enter your password;
- Select the use of text messages or a mobile app, and complete the process.
- Sign-in to your Facebook account;
- Click the dropdown triangle button at top right to select Settings;
- Select the Security and Login menu for the categories on the left;
- Scroll down to select the Edit button under Use two-factor authentication;
- Click Enable, confirm, and re-enter your password. Be sure your phone number is correct and shown as Enabled.
- Sign-in to your Twitter account;
- Click your icon on the top right and select Settings and privacy;
- Under Security, check the box for Login verification;
- Click the blue Start button in the pop-up window and complete the process.
- Sign-in to your LinkedIn account;
- Click your icon on the top right and select Settings and Privacy;
- Under the Security tab, select Two-step verification new the bottom and click Turn on;
- Check the box for Login verification;
- Re-enter your password and complete the process including adding your phone number if you haven’t already.
- Sign-in to your Amazon account;
- Click Account & Lists and select Your Account;
- Under Settings select Login & Security Settings;
- Click Edit under Advanced Security Settings to find the yellow Get Started button to complete the process.
Just like protecting yourself and your valuables at home, no level of defense can offer complete protection. But the more layers of defense you can apply, the more difficult it will be for a break-in to happen. And the extra layer of defense also may serve as a deterrent to would be burglars, or hackers.
In the case of security for you and your clients, consider utilizing two-factor authentication whenever possible. As reiterated in the ISBA Professional Conduct Advisory Opinion No. 16-06, issued in October 2016, lawyers must take specific steps to ensure the security of electronic data held outside their possession.
Opinion 16-06 finds that lawyers may use cloud computing services, but that Illinois Rule of Professional Conduct 1.1 requires attorneys to keep abreast of changes in law and its relation to technology. Two-step authentication is such an advancement in online security and also should be considered a “reasonable effort” to protect as confidential “all information relating to the representation of the client” pursuant to Rule 1.6.
What are you waiting for?
It is clear that becoming conversant, if not proficient, in technology is now required for being an effective lawyer. (It’s even written into a comment to Rule of Professional Conduct 1.1 that defines competence.) So, promoting professionalism includes promoting technology. We are devoting a blog in the first week of each month to an issue of technology. If I can learn it, so can you!