On Thursday, December 12, we discussed how Two-Step Verification and Passkeys help protect your online accounts from potential threats.
The articles Chris found were a bit technical and filled with jargon, so there was a lot to clarify. Here’s a summary of what we (sort of) understood.
You may have noticed that when you check your email on your phone, tablet, or laptop, you don’t need to enter your username and password each time. These devices are considered your “trusted” devices because you use them regularly, and they’re locked with a password, PIN, or pattern. This means if they get lost, no one else can access them.
It’s important to lock your “trusted” mobile devices. If they aren’t locked, anyone who finds them can access your accounts, like email or online shopping, since usernames and passwords are usually saved automatically. Lock your phone with a PIN, swipe pattern, or use additional security features like fingerprint or facial recognition. These options are easy to configure. For example, Chris demonstrated setting up facial recognition to unlock her phone (it works well, though not in the dark!). On Android phones, you can find these settings under Settings > Security.
To log into your e-mail account on an “untrusted” device, you have to enter your username and password. But what if someone else knows your password? They could easily access your account. Here’s where “2 step verification” comes into play. To add to the confusion, there’s also “two factor authentication” which is slightly different. https://www.techtarget.com/searchsecurity/definition/two-step-verification
However, to simplify things, many people lump the two together. Basically, both methods add an extra layer of security so that to access your e-mail account on an “untrusted” device you will need not only your username and password but also confirmation that it is really you trying to log in. This is usually done by entering a verification code or responding to a prompt sent to your phone. Remember, your phone is a locked “trusted device”.
Here’s what Google says about Google prompts :
“You’ll receive Google prompts as push notifications on:
Android phones that are signed in to your Google Account. iPhones with the Gmail app , the Google Photos app, the YouTube app, or the Google app signed in to your Google Account. Based on the device and location info in the notification, you can:
Allow the sign-in if you requested it by tapping Yes.
Block the sign-in if you didn’t request it by tapping No.
For added security, Google may ask you for your PIN or other confirmation (e.g. swipe, fingerprint etc.) https://support.google.com/accounts/answer/185839
There are other ways to verify it is you, such as using a hardware security key which looks like a thumb drive. You have to remember to carry it around with you of course!
There are also backup codes. These are strings of numbers which can be used only once. The idea is that you print these out and carry them around with you on a slip of paper.
Two-step verification is rolling out everywhere. e.g. It can be enabled on shopping sites such as Amazon so that no-one else can use your account to make purchases, even though they know your username and password.
Passkeys
They say that passkeys will be the end of passwords (and password managers!), but it’s difficult to understand how they work and there’s a lot of confusion about what they are. https://www.techradar.com/computing/software/passkeys-are-the-end-of-passwords-and-yes-you-want-them . In simple terms, you use a “biometric” ID to verify your identity, such as a fingerprint, facial recognition and perhaps an iris scan. Just that. No password needed. The thing is that you’ll have to use a trusted device which can manage biometric IDs. An old laptop won’t be capable since it doesn’t have a fingerprint sensor and the camera is unlikely to be compatible with Windows “Hello” – which is a fancy name for a Windows passkey.
A smartphone, tablet or modern laptop will be capable of dealing with passkeys, but the website or service you are logging into must also support them.
Passkeys are more secure than passwords: ” Unlike passwords, passkeys can only exist on your devices. They can’t be written down or accidentally given to a bad actor. When you use a passkey to sign in to your Google Account, it proves to Google that you have access to your device and are able to unlock it.”
This article from Google describes what you need to set up a Google Passkey: https://support.google.com/accounts/answer/13548313
The instructions look rather daunting —- any volunteers?
(PS Amazon supports the use of passkeys too ! )
Chris Betterton-Jones – Knowledge junkie