Internet users are doomed.

I don’t mean you or me, because the fact that we’re reading this article on the Tripwire State of Security blog means we at least have a passing interest in protecting ourselves online.

No, I mean those folks who, like us, use the internet but don’t take the steps necessary to put in place the most rudimentary defences to prevent themselves from being hacked. Sadly, I suspect I’m talking about the vast majority of internet users.

Most people don’t use password managers to generate hard-to-crack unique passwords, preferring to rely on their puny brains instead and inevitably reusing login credentials between multiple services. Most people don’t run a VPN, leaving themselves exposed to having their data grabbed when they use a public Wi-Fi hotspot. And, as a presentation by Google software engineer Grzegorz Milka this week revealed, hardly anyone is is using two-factor authentication (2FA).

A well-implemented two-factor authentication system ensures that it’s no longer the case that the only thing stopping a hacker from being able to access your online account is whether they can determine your username (often just your email address) and password.

Even if a hacker has managed to determine your password (perhaps because you chose a poor one, or perhaps because you made the mistake of using the same password on multiple websites) then the two-factor authentication check will request that they enter a one-time six-digit passcode generated by a tag on your keyring or an authentication app on your smartphone.

No one-time passcode? No entry.

Clearly it’s a higher level of security, and one which is enough to encourage a typical hacker to look for someone else’s account to break into rather than yours.

Two-step

And yet, Iain Thomson of The Register reports that Grzegorz Milka’s talk at Usenix’s Enigma 2018 (Read more...)