REGISTER NOW IN OUR NEW MOBILE DEVICES SECURITY COURSE!!
×

TWO FACTOR AUTHENTICATION & DATA ENCRYPTION

What is Two Factor Authentication?

Most people are used to just providing a user ID and password to authenticate to Web sites. Since user IDs are often made public, your security depends on keeping your password a secret. The recent Heartbleed bug recently exposed on many Web servers is the latest proof that relying on passwords alone is risky. Two-factor authentication (2FA) is one way that can protect your accounts and data, even if your password falls into the wrong hands.

Two-factor authentication requires an additional piece of information to be provided when you authenticate. Since a password is something you know, that information can potentially be transferred to someone else. Adding an additional piece of information to the authentication process would provide a bit better security, but has the same potential to be stolen as a password does. A better solution is to link the second piece of information to something only you possess. A familiar example of this is authentication to banking Web sites, which require you to enter your bank card number along with your user ID and password.

Two-factor authentication on mobile computing devices is often done by linking the second authentication factor directly to your mobile phone. This is done by sending an access code via a text message to your phone, after you authenticate with your user ID and password to a Web site that allows two-factor authentication. You then enter this additional access code as your second authentication factor, before you are allowed in to the Web site. The access code changes each time your log in, so only the person who has your phone can get into the Web site, even if your password has been compromised. Two-factor authentication is available for many popular Web services, including Google, Facebook, etc. You have to enable 2FA from you account on Web services that offer it.

There are a few problems associated with 2FA. It becomes slightly more inconvenient to authenticate, because you have to wait a few seconds to receive the second access code from your Web sites. Also, if you lose your phone, you could be locked out of your Web accounts until you can take steps to re-enable access. How this is done varies from Web site to Web site. Wide use of two-factor authentication is relatively new and some of the glitches are still being worked out. However, we believe 2FA is worth considering.

There are mobile apps for your smart phone that help you manage two-factor authentication, including Google Authenticator, Authy, etc. These keep track of which Web services you are protecting this way, and facilitate 2FA for your various mobile apps. Authy allows multiple mobile devices to manage the 2FA.

Data Encryption

Encryption a process of encoding the data on the storage media on your mobile device, so that only you can read it. The encryption process protects your private data if you lose your device, even if the storage media is removed for analysis. Most modern mobile device operating systems have this security feature, but it is not turned on by default. We recommend turning it on only if your device is new, and only when it is plugged in to an electrical charger.

There is some risk of data loss or loss of access to your mobile device if you turn on encryption when you have a lot of data already on your device, or if the battery runs out before the process is completed. If you've been using your device for some time and want to turn on encryption, you should first back up your data. Some mobile device vendors allow you to back up your data to a your cloud storage account with them.

If you turn on data encryption, you will be asked to set a password on your device. This password is used to generate the encryption key to encode the data and to make it readable again when you start the device or wake it up from a standby state. Make sure you choose a strong password. A guessable password allows the encryption to be defeated also.

If you forget your password, you will also lose access to your device and all its data. Most mobile operating systems provide a way to store your password on your cloud storage account with them. Backup storage of an encryption key is called key esckow.

How to Encrypt Your Phone

iPhone
  • To enable hardware encryption on iPhone (3GS and later) all you have to do is make sure you have a passcode for your device and your data will be automatically protected. If you do not already have a passcode for your device go to Settings -> General -> Passcode. After creating a secure passcode scroll down and select enable data protection.
Android
  • To enable data encryption on an android device you must first have a lock screen PIN or password on your device. To create a PIN/password if you don’t already have one, go to Settings -> Security->Screen Lock and then select PIN or password to create a new PIN or password. Now to encrypt your phone go to Settings -> Security -> Encryption then select Encrypt phone. Your phone will then begin the encryption process which may take an hour or more and usually requires your device to be plugged in to a charger.
BlackBerry
  • To enable device encryption on a blackberry phone (Q 10 or Z 10) go to Settings -> Security -> Encryption and switch the device encryption switch to On.
Windows Phone
  • Windows phone currently only supports device encryption when you also have an Microsoft Exchange server ActiveSync account. The encryption function on your device can only be enabled by your Exchange server administrator.