Layering Security: Two Factor Authentication

“In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”

Thus starts the story of Mat Honan, a writer for Wired Magazine. Mat’s story should be a cautionary tale for all, especially lawyers whose duties to maintain the confidentiality of client data extend the need for added security beyond just personal inconvenience.  Mat admits that much of what happened could have been avoided by using two factor authentication on his Google account and other security measures.  So, why didn’t he do it? Because adding layers of security means adding a layer of complication, and sometimes inconvenience. However, to unravel from a firm security breach or hack would be even more inconvenient.

Google’s Gmail, Google Chrome, LastPass, Dropbox, WordPress and many other popular services have added an extra layer of security that a user must enable called “two factor authentication”.  The concept of this security is that a person cannot access another user’s account without something she knows and something she has. In the case of these popular services the solution is a strong password plus a secondary code that is sent via text to a smartphone or mobile device.  Both are required to access the account. For two factor access to laptops there are devices like USB tokens and smart cards that must be plugged in for the machine to boot up. Likewise you can buy external biometric security devices, such as a fingerprint reader, which is a substitution for what the user has to what the user is.

The SANS Institute OUCH! newsletter this month provides further information and links on two factor authentication for popular online services. When enabling two factor authentication make sure to read all the instructions carefully. Matt Cuts blogs for Google on how the two factor authentication works with Gmail, and dispels some myths about any perceived difficulties this may add to accessing your email.

Want to learn more about security best practices for your law firm? Sign up for the CBA CLE (1.5 IL PR Credit)  “Lighting the Corners: Security Best Practices”  in person or webcast on November 20 at 12 CT.

About Catherine Reach

Catherine Sanders Reach is the Director of Law Practice Management & Technology at the Chicago Bar Association.