How-to secure your social networks with two-step authentication

How-to secure your social networks with two-step authentication

google-authenticator.jpg

This blog post examines two-step authentication as a means of toughening your online security. It outlines how you go about implementing additional security features for social media networks to overcome hacks. LinkedIn and Twitter have both hardened their security in recent weeks following high profile hacks such as the Associated Press hack in April. In the Associated Press case, a false tweet resulted more than a 140 point fall in the Dow Jones industrial average.

Such attacks are a significant reputational issue. So-called two-step or two-factor authentication, or verification, addresses the issues but places the onus on the user to delve into the settings for their account and switch it on.

Two-step authentication requires the user to enter a code, typically accessed via a third-party app, or sent via SMS to a mobile phone associated with the account at periodic intervals, or each time a long on attempt is made via a new browser.

Two-step authentication makes it harder for a hacker to break your account. While it may be possible to crack your password, the need for a second, typically time limited security code, makes breaking into an account much tougher.

It takes an additional few seconds to access your account when you're asked for an authentication code but that's nothing compared to the time it would take to clean up after a hack.

In addition to LinkedIn and Twitter, online platforms such as Amazon, DropBox, Google, Facebook and WordPress, to name a few, have all implemented two-step authentication.

Vigilance still required

Two-step authentication provides an additional level of security above a username and password. It makes it harder to hack a social media account but it isn’t a panacea for all security ills.

Mobile apps on Android, Blackberry and iPhone and third-party tools typically don’t implement two-stage authentication and remain limited to a username and password. Google services are the exception to this rule (see notes below).

Two-step authentication doesn’t protect against one of the common social media hacks, aside from username and password breaches, whereby via a rogue application connected to a social media account. This remains relatively common on Twitter resulting in dodgy tweets or direct messages. You need to be vigilant about what applications you connect to your social media profiles.

Ensuring you’re not locked out

Two-step authentication using SMS is not without its challenges. If you’re in an area of limited mobile phone coverage such as underground or in a rural area, you may struggle to get online.

For this reason some applications and platforms use a third-party mobile app to generate a time limited code. Google Authenticator is rapidly becoming a standard.

Two-step authentication is challenging for administrators of brand accounts on platforms such as Twitter where access is via a single username and password.

Authentication via a single mobile device when the account may be managed by multiple people raises all sorts of governance and workflow issues. Its an issue that my colleague Alastair Sibley has explored at length at Ketchum and is something that the social networks needs to address.

For now I’d recommend using a third-party management tool that doesn’t necessitate two-step authentication.

Configuring two-step authentication

You need to work hard in some instances to switch it on two-step authentication and associate your account with either a mobile phone number for SMS or a third-party authentication app.

I’ve summarised how you implement it for the major online and social media platforms below. A Google query will find help solutions for other applications and platforms.

DropBox

  1. Login to your account.
  2. Access the Settings via your account menu (top right of the home page).
  3. Select the Security tab and then click on the Enable Two-step verification link.
  4. Follow the set-up wizard and select either text messages or an Authenticator app.
  5. DropBox allows you to add a second mobile phone. It also provides an emergency code to disable two-step verification.
  6. You’ll receive confirmation that the process is complete via email.

Dropbox

Facebook

  1. Facebook is one of the easiest service to configure. Login to your account. Select Account Settings from the Gear icon on the top right of your Facebook account page.
  2. Select Security from the menu and then Login Approvals.
  3. Follow the wizard to configure two-step authentication via SMS or Google Authenticator. Its a painless process.
  4. You’ll receive confirmation that the process is complete via email.

Facebook

Google services (Gmail, Google+ etc)

  1. Login to your Google account via google.com/account and select the Security tab.
  2. Select the Settings button under the 2-step verification heading and follow the wizard.
  3. Follow the set-up wizard and select either text messages, voice or an Authenticator app.
  4. I use the authenticator app and a mobile phone as a back-up. Open the app and follow the configuration settings. Scan the barcode or enter the string of text to verify the account.
  5. You’ll receive confirmation that the process is complete via email.
  6. Google provides a series of printable backup codes if for some reason your mobile phone isn’t accessible. You need to print these off in batches of ten and keep them safe.
  7. Some Google applications that work outside a browser aren't yet compatible with 2-step verification and cannot ask for verification codes such as AdWords Editor or email clients. In this instance you’ll need to set up an Application-specific password.

Google

LinkedIn

  1. Login to your account.
  2. Access the Privacy & Settings via your account (menu option via your Gravatar on the top right of the home page.
  3. Select the Account tab from the options and then click on the Manage security settings link.
  4. Click Turn On Two-step verification for sign-in.
  5. Select the country and the mobile phone number that you want to use as the verification token for the account.
  6. Enter the code that you receive via SMS. You’ll receive confirmation that the process is complete via email.

LinkedIn

Twitter

  1. Login to your account.
  2. Select Settings via the Gear icon on the top right of your Twitter account page.
  3. Select the Mobile tab from the options and validate your account with the mobile phone that you want to use for verification – if you haven’t done this already.
  4. Select Account tab and scroll down to account security. Select the box marked Require a verification code when I sign in.
  5. Follow the confirmation process.

Twitter

Wordpress

  1. Login to Wordpress. Install and activate the Google Authenticator plug-in for Wordpress. It takes a couple of minutes.
  2. Download the Google Authenticator Android, Blackberry or iOS app, if you haven’t already.
  3. Run the app and press the menu button to select the option to Add An Account.
  4. Select 2-Step Verification from your Wordpress account (menu option via your Gravatar on the top right of the home page.
  5. Scan the barcode or enter the string of text to verify the account.
  6. Add email back-up. Select 2-Step Verification.

Wordpress

Andrew Grill and Neville Hobson have both written about this issue and are well worth looking up.

Guest post: Why I’ve joined the CIPR

Guest post: Why I’ve joined the CIPR

CIPR Election: You made a difference, thank you

CIPR Election: You made a difference, thank you