Something that may not be immediately apparent about accessing the various cloud-type services which have proliferated in recent years is that they can be equally accessed from any Internet-capable computer, phone or tablet in the world (and not just yours). As there are now more mobile phones than people on the planet, this means that (allowing a little poetic licence), everyone has potentially ready access into your Dropbox, Google, Evernote, Facebook, Twitter et al. accounts. This includes all manner of ne’er-do-wells.
In the olden days (i.e. pre-2010), I recall that many services required you to select a username as well as a password. This was an inherently more secure approach than the current norm which is to use an e-mail address in lieu of a username because now, the bad guys only need to work out one mystery term rather than two.
The bad news here is that by their very nature, e-mail addresses are somewhat publicly available and easy to find. We put them on websites, on articles, in our Facebook accounts. Pick a university department anywhere in the world and you could probably find out the e-mail address of the Head of Department within a few minutes. That HoD probably has a Dropbox account with his/her e-mail address as its ‘username’. You could go to the standard Dropbox web site, input that e-mail address and you are a password away from full access into potentially juicy morsels.
(As an aside here, Dropbox seems especially vulnerable to me because there is something of a need to use your best known e-mail address as your username because others want to share folders with you and they will automatically assume you use your ‘official’ e-mail account.)
The point here is that bad stuff can be done to your accounts from any computer or phone in the world.
Early in 2015, all this was beginning to trouble me and I decided to enable Two Factor Authentication (‘2FA’) for all my web accounts offering this service. Essentially, this reduces the number of devices which can get into my accounts from perhaps 10 billion to a handful. After switching this on, the first time I visited Dropbox, Evernote and all the rest, the ‘system’ sent me a numeric code to my phone via SMS which needed to be entered into the site before access was allowed. The sites then ‘remember’ the device (presumably via its MAC address or somesuch) and future access is allowed unhindered.
The text message in this example is the second factor in 2FA, the first being the usual username/password combo. Other approaches can and are used. Google will call you up on the phone. Other systems use USB dongles and the like. For this WordPress site, I use a fancy app on my iPhone. But the SMS message is the most commonly used approach.
Like most people, 99% of the time I am accessing my sites via one of a couple of devices; in my case, all my computing is done on a MacBook Air and I am a heavy iPhone user too. Because 2FA is usually a once-only process, I don’t need any of the SMS set-up business on a day-to-day basis.
Of course, setting this up in the comfort of your own office is easy. The challenge is always the later situation when you find yourself in unfamiliar surroundings and you need access to your stuff, now (e.g. you’re at a conference and you need that presentation in your Dropbox folder and you are at at someone else’s laptop). Here’s a recent example of how this worked for me.
Earlier this month, I attended an excellent course on MatLab hosted by our IT Research group. I took along my laptop and phone but the course required use of one of the PCs in the lab where it was hosted. I wanted to record relevant notes, links, files and images in my Evernote account and the easiest method was to use Evernote’s web-based access on the lab computer. After entering my username and password into the site, I was immediately sent to a further page where I needed to enter the numeric code which was sent to my phone. This arrived in seconds and I was up and running. Of course, this process adds a little extra inconvenience on the rare occasion when I am using a device for the first time, but I am greatly reassured that my own little working world is more secure that it might be.
When might this fall down? I think the only realistic situation is if you find yourself without signal to your mobile phone, and if you are in such a place, you are probably not in work mode in any case. Most of the services also provide a final level of access by issuing recovery codes which you can save offline (e.g. somewhere safe on your phone) so you have a get-out even then. In practice, I find that the numeric codes arrive almost immediately and it works internationally.
All-in-all, it’s a big win. Give it a go.