Two Factor Belt and Suspenders

Weak passwords are out. Strong passwords are in but may not be enough to protect you. When you use dual or two factor authentication, you add a hurdle to those attempting to get unauthorized access to your law practice information. It doesn’t involve your finger or your face, which are password replacements and not necessarily better. Instead, you supplement your username and password with a one-time code.

You already use two factor authentication in other parts of your life. Probably the most common is the PIN and cash card. You have to have both the card, inserted in a machine, and your PIN to complete a transaction. If someone steals your card, or knows your PIN, they have only half the information they need. You can replicate this with your online accounts.

Who Supports Two Factor Authentication

This isn’t a new topic and has been touched on elsewhere on Slaw. An obstacle to two factor use is that not all services support two factors. To find out who does, look at this list. It is not comprehensive, but it lists many of the most popular business-oriented cloud services. As the screenshot below indicates, you can see services that support two factor and methods of using it with that service.

cutout-of-twofactorauth

Screenshot of comparison list at twofactorauth.org

If you are at the planning stages of moving your law practice information onto cloud-based services, this may be a decision point you add to the mix. There are many options, and making it a requirement of cloud use is a reasonable protection for your client confidential and private information.

One if by Text, Two if by App

The way two factor authentication on the Web tends to work is this:

  • You visit the Web site (or login to the app) and type in your username;
  • You type in your password;
  • Once you are authenticated, you see another box that looks like it could take a password. Instead, you type a time-sensitive code in it.

You can choose how to get that code. As the list at TwoFactorAuth shows, you might have it texted to you (sent by SMS). You configure this setting in your cloud-based service, if it’s available. Let’s use Dropbox as an example. When you access your account’s security page and turn on two factor authentication, you can choose to have the codes texted to you or you can use an app.

Once you’ve logged into Dropbox with your username and password, when you get to the two-factor code step, Dropbox will text you a code. You have a limited amount of time to type it into the Web page. If you do, you will be able to access your Dropbox files.

Alternatively, you can use an app. Some services will have their own apps; Microsoft Account (Android) is a good example. Other services can be used with more generic two factor apps, like Google’s Authenticator (Android | iOS) or Authy (Android | iOS).

I prefer an app because I do not always have my phone on or may be somewhere with poor wireless coverage. When I need a code, I open my phone and the Google Authenticator app and it shows me codes for my accounts. Next to each is a small circle that shows how much time I have left before a new code appears.

Google Authenticator app on an Android phone.  You can have multiple accounts, but you need to type in the appropriate number before the blue timer turns black.

Google Authenticator app on an Android phone. You can have multiple accounts, but you need to type in the appropriate number before the blue timer turns black.

If you use a mobile device that does not receive wireless messages, like some tablets, an authenticator app that creates its own time-based codes is a must. Regardless of whether you receive the codes over SMS or auto-generate them, you need to protect your device. Once you set up your phone to be used for two-factor authentication, be sure you are locking it with a PIN or password. These codes are only safe so long as your phone is.

No Need to Be Mobile

My own reality is that most of the services I use two factor authentication on are ones I access from my desktop PC. This means I’m sitting down and working and then need to find a phone to get a code. The easiest way to avoid this is to have the cloud service remember this computer. That way, it stops asking you for codes on your primary computer and just prompts you when you attempt to access files from somewhere unusual.

Don’t do it. If your information is important enough to need two-factor authentication, then take the couple of seconds it takes to input the code each time. Your computer might be stolen, or someone might get remote access to it, and you’ve dropped the security for a bit of convenience.

Windows users can use an open source app called Winauth to avoid a mobile device. You set up each site you want to use two-factor on – Google and Microsoft are built-in but you can add others – and the app runs on your computer. I like it for a couple of reasons. First, I don’t need my phone or mobile device. Second, unlike my mobile app, it requires a password before you can get to your codes. You only have to unlock it once but it’s a nice feature.

Winauth is a Windows two factor authentication tool that works with lots of sites.  This is great if you're not a mobile user.

Winauth is a Windows two factor authentication tool that works with lots of sites. This is great if you’re not a mobile user.

While Winauth will run on a Mac under Bootcamp, you might as well use a phone in that case. It doesn’t work until you’ve logged into your PC. Mac users can use SAASPASS to protect even their operating system password. It relies on your phone but you can set it up to show a remote unlock button on your phone when it’s near your Mac and login securely.

Two Factor without Passwords

Social logins are already common: you visit a site and can login using your Google or Facebook account, even though it’s not a Google or Facebook site. A different spin on that is Unloq. It eliminates passwords and only allows authentication based on your response to an e-mail or text message. It’s intended to be used by sites as either a primary or second factor authentication login.

Google has recently announced Smart Lock, a password manager that’s integrated into its Chrome browser and other services. They have are also working on Project Abacus, a so-called “multi modal” alternative to passwords. Beyond biometrics – you can use a device if you provide a fingerprint or face print, etc., already as a second factor on some systems – the project apparently looks at how you use the device in addition to biometric attributes. A complex view of who you are by how you use your device may enable you to cut out the passwords in the future.

Two factor authentication isn’t a must. There are some sites that a strong password is sufficient for protection. However, if you have the option to use two factor authentication on services that store client private and confidential information, take advantage of it. The more obstacles to unauthorized and unintended access to your practice information, the better.

Leave a Reply

Your email address will not be published. Required fields are marked *