By Tony Bradley, PC World | July 31st, 2014
The two-factor authentication used to “protect” your accounts is often insecure and poses a weak link that can be exploited by attackers.
Data breach after data breach has illustrated just how weak and ineffective passwords can be for protecting accounts and sensitive information. Many sites and services have implemented secondary security protocols and two-factor authentication, but users frequently use information and email accounts that can be easily compromised–giving attackers a simple way to access your information.
One common secondary protocol is to have users supply an alternate email address. Sites and services will use the primary email address 99 percent of the time, but if something happens with that email account, or additional verification is necessary to prove you are really you, a message will be sent to the alternate email address. That alternate email address is often a weak link attackers can exploit.
People frequently use a “throw-away” email account created specifically to use for verification to unlock an account. Securing that account is generally not a high priority, though, because it’s not being actively used for email. An attacker may be able to reset the password on that secondary email account, which will enable them to unlock access to your other accounts, and the dominos will start to fall.
The problem with many of the attempts at two-factor authentication or secondary security questions is they amount to little more than a digital equivalent of “hiding” the key to your front door under the doormat. The additional protection is trivial at best, and the false security fosters unwarranted confidence that personal accounts and data are secure.
“Using ‘throw-away’ accounts as a second form of authentication is about as effective in protecting your information as putting your password directly into the hands of a hacker,” says Jason Hart, CEO of Identiv. “I would never recommend using one of those so-called ‘anonymous’ accounts and assuming your identity is safe.”
TK Keanini, CTO of Lancope, has two pieces of advice for users. First he suggests using a password management utility to help store and maintain all of those complex passwords that are too challenging for you to remember off the top of your head. Second, Keanini recommends using false information to answer the secondary security questions. “If the question is ‘What is the street you grew up on?’ Make the answer something of nonsense like ‘paparazzi strangers.'”
That is excellent advice. Many times the secondary security questions ask for information that you openly share on social networks. Things like your high school mascot or what city you grew up in are not exactly top secret. Using intentionally silly misinformation is a great way to use the secondary security questions to your advantage without making it easier for attackers to gain access to your accounts.
The important thing to remember is that it only takes one weak point to compromise your security. Make sure you give the same consideration to securing your backup email address and the answers to your secondary security questions as you do to protecting the accounts you’re using those things to defend.