LOS ANGELES — Blogger David Hobby woke me with this week with some startling news on Twitter: "Your day just changed. Your e-mail is hacked. Been there. No fun." Then he added: "Two-step auth(entication) is your friend."
Two-step authentication asks you to sign in with your password, and then add a second sign-in — a numeric code sent by text, e-mail or a phone call. In effect, a double password. It always sounded like another step I didn't have the stomach to endure.
But after being hacked, there was no question — I had to give "two-step" a spin.
As for my hack: I had fallen for the oldest phishing trick in the book — a fake message on my iPhone supposedly from an old e-mail provider, saying I needed to click a link to continue my Yahoo Mail service, and like a fool, I did it.
With that, because I had told Yahoo that Gmail was a good secondary e-mail to reach me, hundreds of contacts got the fiction that I was stranded in Turkey and needed $12,000 to settle my hotel bill before I could leave the country. Tons of notes from the likes of Hobby woke me up the next day to ask if I was OK.
I responded by doing what I was supposed to — changing (again) every one of my online passwords (I have over 75), one by one, and then turning to the two-step process that Hobby swore by — and that had tripped up my son.
Google, Facebook, Twitter and Microsoft, four sites hackers seem to lurk on the most, all recommend two-step as one extra safety precaution. Basically, you sign in with your password, but the site won't let you through until you add a second numerical code—which you receive via text (most common), a phone call or an e-mail.
This process is thought to be safer because hackers will not have your phone, or device, to get to your code.
"2-Step Verification can help keep bad guys out, even if they have your password," says Google. "When a bad guy steals your password, they could lock you out of your account, and then do some of the following:
• Go through – or even delete – all of your emails, contacts, photos, etc.
• Pretend to be you and send unwanted or harmful emails to your contacts
Use your account to reset the passwords for your other accounts (banking, shopping, etc.)"
But with three computers, multiple smartphones and a tablet, I feared two-step. Somewhere in there, the process would get mucked up, and I wouldn't get in to a site I needed access to. That was the concern.
But once I added two-step for the above sites, it was relatively painless for desktop, office work. I had changed my passwords, and followed up by adding the code, which came instantly via text.
The biggest pain was on mobile. Open up the Facebook app to sign in, for instance, and I need a code. So close the app, go to your texts to get the code, copy it, go back to Facebook to open it, and paste in the code.
What if you're somewhere with poor service and can't pick up your texts? Google has a convenient app for its services — Authenticator — (free for Apple and Android) which creates the code for you, even if you can't get access to your text messages. Instead, you open the Authenticator app, generate a code, copy it and paste into the site that's asking for it.
Emmanuel Schalit, CEO of password manager service Dashlane, told me that two-step verification is great and he uses it, but the safest anti-hacking technique is to have a different, unique password for every website. Because once someone has phished you, and found that one password, he or she figures you'll use that same password everywhere else, and starts going around, and really, has hit gold.
The bottom line: two-step authentication is extra effort—but it wasn't fun being hacked either.
Two-step and tough-to-break passwords are the world we live in now. Get used to it. Our information is all out there now, and this is the among the best protection we have.
Readers: What's your experience been with "two-step"? Love it or hate it? Let's chat about it on Twitter, where I'm @jeffersongraham.