A Simple Way to Increase Your Online Security
Verifying someone’s identity has been an issue for millenia. If you are a Roman general commanding your legions in 250 BC, how might you be sure that some unknown messenger is truly from the emperor, like they claim? How could people in ancient, secret-societies prove their membership, and how could one be sure that a royal decree actually came from the king? If you wanted to enter a prohibition-era speakeasy, how could you prove you weren’t a cop? Historically, authenticating identity has typically been done through several different methods including signatures, secret handshakes, spoken passwords, or stamping with a unique, personal seal. Today, our society has no less of a demand for identification and authentication, however our increasingly digital world has defined the need for modern methods of authentication.
Types of Authentication
Security experts generally agree that there are three main categories of authentication:
- something you know, like a password or pin
- something you have, like your passport, driver’s license, or debit card
- something you are, like biometrics and signatures
While one of these things can be used to confirm somebody’s identity, for better assurance multiple forms of validation must be used. It is possible that somebody has obtained one these factors in order to pose as you; maybe they’ve stolen your pin or forged your signature. But how likely is it that this same someone looks like you, knows your passwords, and has fingerprints identical to yours? It is the need for stronger authentication that drives the modern push for “Multi-Factor Authentication.”
Multi-Factor Authentication, or MFA, is where more than one of the three forms of authentication are used. 2FA is a moniker referring to exactly two of these factors. In its modern form, you will typically need to provide your password as well as a code obtained from a device in your possession. These codes are called One-Time Passwords and can be either sent to your device through a seperate communication channel, or generated offline.
Many sites will support MFA through text message, where a code is generated by the company, sent to your phone in a text, and then typed into the site by you. While this is particularly convenient, it is also somewhat less secure than generated codes. There are documented instances of an attacker pretending to be someone else and gaining control of that person’s phone number, essentially routing all texts to the attackers device.
A safer alternative is the TOTP protocol (Time based One Time Passwords). This is a protocol designed to allow an offline device to generate pseudo-random codes in sync with another server. This works by passing a token from the server to the client’s device through some sort of out-of-band transmission, usually by pointing your phone’s camera at a QR code or typing out the token. Then, when you need a code, your device generates a six digit number based on the shared token and the current time. This time-based auth has several implications. First, the generated passcode changes roughly every 30 seconds or so meaning that unless an attacker has possession of your device, they have no way of reliably spoofing this code. Secondly if your MFA device’s clock is out of sync, your generated password won’t line up with the password generated by the server, a common issue for frequent travelers.
While there is dedicated hardware out there to generate TOTP codes, for most people it is sufficient to download one of many smartphone apps to do the job. Popular TOTP apps include: Google Authenticator, Duo mobile, and the open source andOTP. Keep in mind however, that losing your phone or buying a new one may result in a loss of access to your accounts. Most services will provide a short list of pre-generated, one time passcodes in case this happens. Make sure to keep these codes in a safe location, or take a picture of the QR code and print off a copy (again, kept in a secure location).
MFA with your SparkPost Account
In order to keep your SparkPost account as secure as possible, we highly suggest enabling MFA on your account. It’s a simple step that will really help secure your account in the case of an accidental password leak or a workstation breach. For a simple guide to setting up MFA, you can reference this doc.