Two-factor authentication

Security is hard. In fact, it’s pretty much impossible; it’s all a question of making your house look like it’s going to be more work to break in than there is gain to be had, and that going elsewhere will be easier. For the average house on the street, owned by the average joe, to the average thief, that means having no obvious valuables visible from outside, having locks, windows in good repair, lit approaches, and generally not looking like the easiest pickings on the street. If someone is targeting you specifically, it gets a lot harder; there isn’t an ‘elsewhere’ for them to go, and the bar for deterrent is much, much higher.

It’s pretty much the same thing with server security. Most attacks on servers are wide-cast nets, looking for obvious vulnerabilities and brute-forcing passwords; the people controlling these botnet-powered scans aren’t concerned about getting into your server, they just want to get into lots of servers. Anyone who is being specifically targeted needs a high degree of security expertise and likely outside support to fend off attacks, but for the rest of us, best practices will generally keep things pretty safe: keeping software up to date, following best practices about firewalls, using a password manager, and turning on two-factor authentication everywhere it is possible to do.

Thankfully, that last point is getting easier. The Google Authenticator project provides client (iOS, Android, Blackberry) packages which work with more and more compliant systems – including Google, of course – and a server (Unix PAM) package to allow securing ssh (or sudo, or ssh only for users with sudo, or…) accounts with two-factor authentication. There is a WordPress plugin (thanks, Alex) to require it on your blog, and Amazon’s AWS and Dropbox both implement it for account access.

Start using two-factor authentication now, and encourage your favorite web services to implement it as well – it’s really, really easy to set up, and it is one of the most effective deterrent systems currently available for login security.