in this quick discussion uh we we want
to help you to understand
two-factor authentication what it is and
why it's critical
critical and uh why it's not actually
as complicated as it sounds right
so we all know this is
robbie hi uh so robbie what's your
password
my password jeff should i really tell
you yeah you have to
winston 2075. really really easy for me
to remember because winston is the name
of my beloved cat
who left us a year ago i remember
winston he was a good cat
uh but i don't get the 2075. 2075 well
that clearly jeff is the uh the year of
the linux desktop oh clear
clearly oh clearly oh burn
[Laughter]
well i guess that makes perfect sense uh
okay so
now that uh you know our viewers of the
show
you and i we all know each other um
if we kind of walked down the street we
see each other
i would say hey uh i'm robbie what
yeah yeah yeah that's am the bald nerd
and uh
you'd say um i don't think so and i'd
say but really i am
my password is winston 2075.
uh which obviously is correct right yeah
um
how do i know this but you still don't
believe
that i'm robbie so uh there's one thing
that i didn't think of and that's the
fact that you know what robbie
looks like uh and you know that
clearly i'm not him
i couldn't grow a beard like that if i
tried
when you sign into your online account
you've got typically a username and a
password right
so that's basically so that the server
can tell that it is you that is logging
in
right your username is often something
that is
publicly accessible so that could be
your email address or
in my case like it could be baldnerd
right
so that username is not something that
is a security factor whatsoever of
course anyone can get that so
um anyone who knows your password
can say okay well my username is
baldnerd and my password is
winston2075 right so now they can access
your account because
those are the only factors that you have
basically just the password right
the plot thickens if you've got the same
password on other services as well which
so many people do
don't do that yeah and that's why we say
do not have the same password on other
services because
if you get compromised on one you're now
compromised on other
but on others but um the other thing is
that let's say they're
able to get into your email yes
something like that
right so now all of a sudden
they can go on to other sites your
online banking and things like that and
they can click on forgot password
and they're going to be able to reset
your password and gain access to those
services as well
so with the username and password
combination
the server itself so the connecting
server whether it's like
your online banking or twitter or
facebook or whatever it is you're
logging into
it has no way of actually verifying that
the person who's logging in
is in fact you right
they know the username and password and
so they're
given access right so two-factor
authentication
sometimes called multi-factor
authentication it can be intimidating
it can sound kind of complicated but
really
it's just a way for the online server to
recognize
that when uh when someone is logging in
as you that it is in fact
you you right um so the server is able
to say
yeah that's the right password but i
know robbie and you're not him right
okay so then how do we do that and
really it comes down to that the easiest
way
is something like this something you
already own
your smartphone right how many of us
have a smartphone sitting in our pocket
right now
exactly you might be watching the show
on your smartphone you've got it on you
all the time that's right that is
probably my wife's biggest complaint
about me
is that it's literally on me all the
time but that's convenient when it comes
to this
absolutely it is because even though
somebody might be able to
obtain your password and your email uh
because that's not really impossible
it's a lot harder and less likely that
they're going to have physical access
to your phone so with two factor
authentication enabled
once you enter your password uh and your
login for the account
you'll be uh prompted to obtain and
enter a code from your phone it could
come in through text or
you know maybe through an app whatever
but you know your phone becomes that
second factor in the authentication
process
which makes it two-factor authentication
so it's not really as complicated as it
sounds online services
um such as google drive yep gmail
is is part of that um we we talk about
amazon and aws
that's right twitter facebook your
online banking
they all support multi-factor
authentication so
you want to look online and check your
settings and see if you can set that up
and
if you're having trouble finding the way
to set up multi-factor authentication
just reach out to the service provider
and they'll be able to give you help
yes it's a really like it's not the
end-all be-all
solution but it's an excellent way for
you to better secure your account so
that as
somebody else tries to access your
account with your username and password
if they ever
get it from a phishing scam or by a man
in the middle
attack or something along those lines
well they're not going to be able to
access your account because they don't
have your phone
yeah that's right it's a really really
smart thing to have and
one of the things because i've run into
the two-factor authentication
with my kids yeah
when we upgrade our phones we'll hand
our old phones to them
their gaming device their whatever but
because there's no longer a phone number
attached to it
sometimes with some of their services
every once in a while it's going to want
a phone number and so for the longest
time i was giving them
my cell phone so i'll be at work and all
sudden i get a blue
and it's you're trying to log in here's
your code and it was like
i i gotta call one of them right now
obviously you know you have to
look for the services that you're going
to enable
this road that i'm about to mention but
i found a service
like an application that gives you a a
digital phone number
where it will then come through to your
phone even though you don't actually
have cell phone service
so you don't i might like my kids don't
have a physical phone number
but they have a service on their phones
sms yeah so they can get
text messages to a phone number so now
they can
put in their own two-factor
authentication right now if you're gonna
go down that road because maybe you
don't have a phone but you've just got a
tablet or something
if you go down that road make sure that
what you're using
is a trusted source because otherwise
an untrusted source is going to have
that number yeah they might be able to
do a man in the middle on your side
that's right
and you don't want to do that so you
want to pay attention to the sources you
use
uh and in our case uh it was magicjack
okay because you can get a magicjack
phone number for free
yeah uh a u.s number so that's what we
used oh neat
yeah magicjack is trustworthy we've been
using them for
gosh 15 years now wow so cool you know
now my kids have the magicjack app and
they put a phone number in and
interesting okay so i've taken a
different approach and i use the google
authenticator app
okay so which one the app wrote yeah and
so with that app it uses what's called
otp or one-time
password so when i log into any of my
two-factor authentication enabled
services
it then prompts me for my multi-factor
authentication code
my otp so then i bring up the app and it
shows me a one-time password that i now
need to enter
into that service in order to access it
which has the same effect of okay well i
don't need to have
them texting me right i don't have to
worry about that man in the middle
attack there's so many different ways to
set up two-factor
it really is but really what it boils
down to is just the fact that
you know somebody is not going to have
access to the sms messages going to your
child
somebody's not going to have access to
my phone with that authenticator
app so it's just finding one that works
for you
and setting it up so that you've got
that multi-factor authentication so that
you're protected
because really i mean these days wow
it's incredible how many phishing scams
are out there
yeah um i get emails just to put it into
perspective i get emails
that appear to be from my boss okay
from my employer with
links to click here and and enter my
info
and these are called spear phishing
scams so these are some hacker or
somebody is trying to gain access to my
account
and so they've researched me and they've
learned about me and they've learned
about
who my employer is to the point where
they can now
send me an email masking and pretending
to be
my employer and saying hey click here so
when you put that into the perspective
of an auto shop
and the service technician gets an email
from the boss
and maybe is not as um
security conscious well security
conscious but also just
like i i am i know what to look for
yeah that's fair you know so i i know
okay this is definitely not
coming from my boss and i'll look at the
email headers and things like that
because i understand them
yeah but what if
that and just using the shop technician
as an example
okay um what if they fell for it
what if the accountant opened that fake
invoice that gave them access
to the username and password for their
email again they can use that
the hacker can use that to then gain
access to other accounts because they
can do forgot password
that's right or they can send email as
that user and and take it even further
and this is how ransomware happens and
things like that
that's true so spear phishing is where
they learn enough about you or your
company to be able to make it look
completely legitimate
and that happens a lot so what happens
if that shop technician falls for it and
gives out their username and password
well if they have two-factor
authentication enabled on their accounts
yes the spear phishing attack has now
got your username and password however
when they try to access it
it's going to prompt for that two-factor
authentication so in the sms
example the shop technician is now going
to receive a text
yes and they're going to say well i
didn't request a login that's right
that's weird or in my case
it's never even going to i'm never going
to know about it because they're just
going to be
notified that they need to enter their
one-time password that's right
and they're not going to have it because
they don't have my phone that's right
so some food for thought when you're
thinking about two-factor authentication
multi-factor
authentication just to set it up it is
absolutely required these days you got
to stay safe
and really there's no excuse not to
really isn't
we all have a phone in our pocket jeff
that's true and if you don't
for some crazy reason there's that
there's an app for that
there are ways you'll find it in and
that's why i say talk to your service
provider because they will tell you
the various ways that you can set up
multi-factor authentication
you