Summer Cyber-Secure Challenge: Put Another Login Step On It
This is part 6 of our Summer Cyber Secure Challenge. Click here to see part 5.
One of the most effective ways to protect your personal email is to set up an additional login step. This protects you if your password is stolen. If you don’t think that’s likely, consider this: Google studied the risks of stolen credentials in 2017 and found that up to 25% of passwords used to protect Google accounts had been compromised in unrelated data breaches. This means that up to 25% of Google account takeovers were potentially because they reused their Google password on another service which was then breached. In the most recent Verizon Data Breach Investigations Report, it was noted that 32% of all data breaches involved a phishing campaign. Phishing attacks are often meant to dupe a person into revealing their password. An additional login step adds a layer of security that can protect your account even if your password is compromised.
How Does It Work?
What is the additional step? It’s typically another piece of information you have to supply after your password is entered correctly. Rather than being a secret piece of information such as your password, the additional step confirms that you have something in your possession. It can be a random code that is generated by an app on your smartphone. Sometimes it’s a random code texted to your phone number. In other cases, it may be a USB key that you insert into your computer. Another option is with a confirmation button that appears on a related app on your phone. All of these steps show that you have control of the official phone number associated with your account or an official token device. Because passwords can be relatively easy to steal, showing you have control of a related device (ex. phone) adds an additional element of security to your account.
Why email? Your personal email is most often the gateway to your other online accounts. Usually an app or service requires that you sign up with an email because it is unique to you (and they will need a way to contact you outside of the app). If your account falls into the wrong hands, it can wreak havoc!
In this post, we’ll examine one way to place an additional login step on your email. If you want to follow along, download the Google Authenticator app to your smartphone or tablet. It’s available for Apple or Android. Alternatively, Microsoft offers the Microsoft Authenticator app, which can be used with Apple, Android, or Windows devices.
For our example, we’ll use a Microsoft live.com account and the Google Authenticator app.
Find the two-step login setting
The option to activate two-step authentication is usually found in your password settings. Here’s how to find the setting in Microsoft:
- From your online email, select your profile picture
- From the dropdown, select My account
- Select Security from the links at the top
- Select Additional Security Options
- Find and click on Setup two-step authentication
Set Up App Passwords
When you add the two-step verification to your account, you may lose access to apps (like the email app on your phone) until you create special app passwords. These passwords are different than your main password and allow you to stay logged in to your apps without the two-step verification. Each service, like Microsoft, will walk you through how to add app passwords. Don’t worry, you don’t have to come up with them yourself!
Upon selecting two-step verification:
- There will be some information provided. Read and click Next.
- On the next screen, additional instructions will be provided regarding syncing your email with a phone/tablet. Without this step, you could lose access to email on your phone/tablet.
- On the following screen, further options will appear to set up app passwords for other types of accounts (ex. Xbox).
- Finally, the screen to set up your two-step login will appear.
Setting Up Your Two-Step Verification
At this point, Microsoft will give you some options about how to manage the two-step login. Remember those options we listed above? You can choose to use an app on your phone/tablet, your cell phone number, or another email address. For this post, we chose an app.
- Choose the option to use an app.
- You will be presented with a QR code.
- Open your authenticator app and touch the plus sign.
- Scan the QR code. (It will use your device’s camera.)
- Now, enter the code from your authenticator app into the form field and verify it.
- If the code works, you will be given a backup code to copy down or print out. DO NOT SKIP THIS STEP.*
- Two-step verification is now active on your account!
*It’s very important to save the backup code(s) to access your account. Don’t save the codes as a computer file. Instead, print it out or copy it down (just be careful to copy it correctly!) and store it somewhere safe. If you ever lose access to your phone/tablet, you can use the backup code(s) to get into your email.
Don’t be intimidated by the idea of adding another login step to your email account; each email provider will provide detailed instructions on the process. Two step authentication is the best way to protect your account from stolen passwords.