The problem with security is that both sides keep getting smarter. You start using stronger passwords and the other side gets better at cracking them. You start using a physical authentication key and someone steals it. It goes on and on.
The latest trend in security is the “authenticator app.” Microsoft has one, Adobe has one, Google has one, and several other third-party apps promise to unify the experience for you if you use several apps. This is supposed to be more secure and keep you from getting hacked.
How do these things work?
If you need to log into something like Office365, Adobe Photoshop, or Gmail, you can set it all up so that it asks you for a unique code every time you log in. That code is generated by an app on your phone, and it changes every minute or so.
So the idea here is that in order for someone to steal your identity, they have to (a) have your actual username and password (b) have access to your email if the web site checks location and alerts you, (c) have the ability to unlock your phone and (d) knows how to use these apps. That’s a pretty tall order for someone on the other side of the planet. And that’s the idea.
How is that better than “two-factor” authentication?
Two-factor authentication, or 2FA, sends a text to your phone with a code that you need to enter. There are two problems with this. First, some people have their phones set up to read texts without unlocking the phone. Second, text messaging really isn’t that secure. Your texts can be stolen pretty darn easily.
The hope is that this adds a level of security that text messaging can’t. It should, in most cases. It also shouldn’t be that hard to manage.
It’s still not a perfect system
Depending on how you manage your passwords and the rest of your digital life, someone could spoof your phone, install these apps, control your email account so that they could confirm the app’s use, and then still get control of your computer and such. All of this still depends on you using strong passwords and not sharing them. It’s the human factor that, once again, is the weak link in this plan.
It’s still better than…
Back in the 20th century, there were a lot of similar plans for protecting software access. The worst was the “key disk” idea. A key disk was a floppy disk that needed to be inserted so that software installed on your hard drive would work. It was deliberately damaged so that it couldn’t just be copied. Unfortunately, these key disks weren’t really durable and when the floppy disk broke, your software became unusable.
Another bad idea was the physical authentication key. Very early computers literally had locks on the hard drive so you could prevent access. That is, unless you had a screwdriver, could open the case and cross the wires to the lock. That gave way to authentication cards, credit-card-sized devices that needed to be inserted into a special reader. That ended up being too expensive and the next step was doing something similar with flash drives. But then, again, those proved too easy to hack.
Where is this all going?
I’ve said it over and over, the idea of passwords is fundamentally a bad one. It’s impossible to remember all of them, especially the strong ones. Yes you can use a password manager but what happens when that gets hacked?
You can be happy about it or you can be sad about it, but that’s not going to change much. The only thing you can do to keep secure is… everything. Use strong passwords. Change them frequently. Use 2FA or an authenticator app. Monitor your bank and credit card activity. It may seem like keeping safe is a full-time job, but it’s just what it takes. It’s part of life, and not likely to change.