From social networks to mobile applications for banks, health or gyms. In many cases, passwords are the only thing that stands between cybercriminals and the personal, health and financial data that users store in dozens of apps. Two-factor authentication is an easy way to add an extra layer of security to accounts. EL PAÍS tests some applications, such as Authy or Google Authenticator, that use this technique to prevent third parties from accessing personal information.
To access the account of a apps or a service, it is usually enough to enter an email and a password. Two-factor authentication is about adding an extra step to the process. The goal is to confirm that the user is who they say they are. Many apps like Facebook, Twitter either LinkedIn enable double authentication easily. In doing so, they offer various alternatives. One of the most popular is to send a code to the mobile by text message.
However, the National Cybersecurity Institute of Spain (INCIBE) stresses that this method can be unsafe. If the user has notifications activated on the mobile lock screen, anyone could see the password received by SMS. Also, according to the company specialized in cybersecurity Kaspersky, this type of message could be intercepted by a Trojan (malicious software) hidden in the mobile. “Using hidden tactics such as persuasion or bribery, cybercriminals can obtain a new SIM card with the victim’s number at any mobile phone store,” the company says. If this happened, messages would go to this card and the victim’s phone would be disconnected from the network.
Although receiving an SMS with an additional code is better than taking no action, there are safer alternatives. Much of the social networks and other services allow the use of a third-party authentication application downloaded on the mobile. One of the strengths of this type of appscompared to text messages, is that they allow you to receive a password even when there is no internet connection and coverage.
Among the most complete applications is Authy, available both in the Play Storewhere it accumulates more than 10 million downloads, as in the app store. This platform, which allows the synchronization of accounts in the cloud, is compatible with multiple services: from Facebook to Slack, including Uber, LinkedIn, Pinterest, Discord or Snapchat. On its website, the company explains how can double authentication be activated in all these applications.
this newspaper have tried to do it with Instagram. The first step would be to enter the configuration section of the apps. Then you should click on “security” and “two-step authentication”. This method, as explained by the developers of the application, “protects your account with a code that is requested when you log in on a device that we do not recognize.” To start using an authenticator application, Instagram offers a key: after copying it, you have to open the Authy app (previously downloaded), click on “add account”, choose “enter the key manually” and paste the key.
Afterwards, it is possible to choose the name of the account and the logo of the social network. In some cases, the process is simpler. For example, to link Facebook, all you have to do is open Authy and scan a QR code on your computer with your mobile. Once you have completed these steps, when you log in to Instagram or Facebook on an unknown device, in addition to entering your username and password, you will be prompted for a code that is automatically generated by Authy and expires after 30 seconds.
Another alternative is Google Authenticator, which has been downloaded more than 100 million times from the Play Store and can also be found at app store. The app works in a similar way. When trying to activate the two-factor authentication on Twitter from the computer, the first step would be to enter “settings and privacy”. Then you should click on “security and account access”, “security” and “two-step authentication”.
By choosing the option “apps authentication” and enter the user’s password on the social network, Twitter generates a QR code. It would be enough to open Google Authenticator and scan it with the mobile camera. If this is not possible, you can also link your account to this app by copying and pasting a key. “Once you’ve set up 2-Step Verification, you’ll be able to sign in to your account using something you know, like your password, and something you have, like your phone.” notes the Mountain View company.
Among the most popular alternatives on the market, there is also Microsoft Authenticator, which has been downloaded over 50 million times on the Play Store and it is found among the most popular productivity apps on the App Store. Like Authy and Google Authenticator, it allows you to link different accounts — such as LinkedIn, GitHub, Amazon, Dropbox, Google, and Facebook — by scanning a QR code or manually typing in a key. The application, which has a minimalist design, is easy to use and allows you to back up to the cloud. The codes expire after 30 seconds and it is possible to choose that they are hidden at first and only appear when clicking on the account in question.
This type of application is useful considering that, according to the National Cybersecurity Institute of Spain, “a large part of the passwords that circulate on the network could be decrypted by an attacker in a time ranging from just a few seconds to about two hours.” In addition to betting on robust credentials, something for which password managers can be especially useful, the agency recommends activating double-factor authentication on all those platforms where sensitive information appears, such as social networks, email, travel platforms or online banking.