I run a business, have paying clients, and do other activities online that should be protected from the evil doers of the world. So this month I challenged myself to be a little more security conscious online. Sure I use strong passwords, try to visit sites that offer SSL (https://), use different passwords for different sites, don’t access unknown wifi networks, etc. but regardless ultimately I am still one password away. If someone were to gain access to my email @TheComputerBoy.com they’d be able to reset other passwords, obtain client usernames and passwords and ultimately cause a lot of havoc.
The first step I did was actually turning on the passlock on my phone. Since my email goes to my phone (two thumbs up for Android by the way) anyone who was able to get my phone would be able to access my email. Yes I know, I know you’re asking yourself why he didn’t have a passcode on his phone in the first place. In the first place…I did. Then I got tired of punching in the code over and over each day. As the weeks turned into months and then years, my phone was never lost or stolen making all of those passcode entries seem unnecessary. I admit I will probably lose my phone tomorrow, or at least I acknowledge the possibility of losing it tomorrow, so the passcode is back. Its been almost a week and honestly it isn’t that bad.
Next step is locking down the email. Google Apps for Your Domain (a free service that we will install for you by the way) recently began offering 2 step login verification. The traditional email setup has a 1 step login requiring a username and password. With a 2 step process not only do you have to enter your username and password but you also receive a text message with a code that must be entered to fully log in. If you’re phone is out of service or lost you can also receive an automated voice call to a predetermined phone number (probably wise not to set it to the same cell phone!) which will tell you the verification code. You can even print out 10 one time use codes ahead of time and keep them in your wallet.
The beauty of the 2 step process is the security of requiring both codes (password and verification code) at the same time. Say I’m at a friend’s house who has unknowingly had their computer infected with some type of key logger. I log in to my account with my username and password. My phone receives a SMS Text message with the verification code for that log in. The key logger now has my username and password however I know they can’t access my account without the new verification code that would be emailed to me if they did try to log in.
Today is day 1 of using 2 step login verification. I’ve challenged myself to go 30 days to see if I want to continue using the 2 step verification or revert back to “normal”. So far so good. I will post an update in a week or two to let you know how things are going.
For those interested in using 2 step verification for your Google Accounts, Lifehacker.com has written a real good how-to article detailing the steps that are needed.