Computer Security 101: Security Questions and 2 Factor Authentication

Last time I covered password managers in my computer security series. This time I’m going to talk about something that goes hand in hand with passwords. The security/secret questions are used along with your password to validate that you are the owner of the account. I will also cover 2 Factor Authentication which is available on almost everything requiring a login now. These are the things that along with your password keep your data secure.

Security or secret questions are used by most if not all online services. When setting up your account you will be asked for 3 or more answers to these security questions. The next time you try to login, type in your password wrong more than once or try to reset your password you will be asked for one of these answers. The answers are supposed to be a way for the system to authenticate you as the owner of the account. Unfortunately the majority of users see the questions as un-necessary, extra work and take the questions literally. They fill in short, easy answers to make it again easy to remember and get it over with quickly. The security questions then become the weak link in the security of the account. If the answer(s) can be easily guessed, known by any of your good friends that know you well or looked up online like when the person is a celebrity or otherwise famous. Well then it’s not secure at all. As the saying goes “If more than one person knows a secret it’s not a secret anymore”.

The first thing to understand is that the questions aren’t literal. If you fill in a long string of nonsense characters it is not going to be rejected. Again going back to password managers that can generate long strings of random characters. This is what I use to create the answers to my security questions and store them for retrieval when I need them. Some services do impose restrictions on the answers like length of the answer, only numbers and letters, etc. This is not too common but you can change the settings the password managers use to generate the answers. It will take a little more time than filling in “puppy” as “What’s was your first pet?” but after you finish you most likely will never have to use it again. Even if you do, having it stored in the password manager means you wont have to memorize it anyway. All of my security questions are 12 or more randomly generated characters. Yours should be too!

2 Factor Authentication or 2FA is a type of multi-factor authentication. It’s a method of using more than one factor of authentication to confirm you are the owner of the account. It typically will use your password and then require a phone number that will be used to send an authentication code. There are other methods like using an email instead to send the secret code or using the Google Authenticator app. Phone numbers and emails will be phased out soon because they are not as secure. It is relatively easy to spoof either one. Spoof means to fake or copy it so that the code is sent somewhere else or sent to the person trying to access the account as well. 2FA is used on most everything now from Apple IDs to Twitter and Facebook. Like the password managers, secure passwords and security questions it will make your accounts more secure. If it is available you should find out how to turn it on. Searching the internet can yield the process easily. As an example I will include instructions on how to enable it on Apple ID and Instagram the rest you will have to search for yourself. Just remember the site should only give you information on how to enable 2FA. If the site provides a tool to download or asks you to login in order to enable 2FA it’s bogus keep searching.