In my former life running an IT consulting company, security was a big topic and making sure people were who they said they were (i.e. when they were logging in remotely to check their email) was a key part of securing our clients’ networks. You might think that usernames and passwords would be enough, but entering these on a login page doesn’t prove it’s actually you, it only proves that you know the username and password.
That’s where so-called two factor authentication comes in. Without geeking out too much, the basic idea is that there are three things you can use to establish your identity: something you know (username/password/PIN), something you have (passport/credit card/security token), and something you are (finger print/face geometry). Two factor security just means using at least two of these to establish your identity.
This may sound complicated, but if you have an ATM card, you’re already using two factor authentication — something you know (PIN) and something you have (ATM card). One doesn’t work without the other and without both there’s no cash for you.
So, what does this all have to do with travel?
Well, it turns out there’s easy-to-install software and hardware that allow an unscrupulous third-party to eavesdrop on your surfing and capture your usernames and passwords as you type them. It’s practice is known as key logging and if you’re not careful, you’ll inadvertently “outsource” the management of your Facebook profile, or worse, your finances to somebody who may have a funny idea or two. (Perhaps you’ve had a friend or two stranded in London, that just needed some cash? I’ve experienced this first hand and so has a former client of mine.)
One of the ways two factor authentication protects you against eavesdropping is through the use of one-time passwords (OTP). Just like it sounds, a OTP is an additional code created by a device or system only you have access to and can only be used once. So, even if it’s captured through key logging, it can’t be used again after you click the login button.
If you’re wondering whether this is a theoretical threat, let me assure you that it’s not. First, you should know that I’m not an alarmist by nature. I don’t think fear mongering is ever the right answer and I find almost all security risks can be mitigated through practical/pragmatic solutions. Second, I’ve been in way too many internet cafes (in places like India) where the keyboards barely worked, the operating system was bootlegged, and the electricity would cut in and out. The idea of properly securing these systems to ensure a safe internet surfing experience would have surely been considered a luxury only a westerner could have dreamed up and demanded.
The good news is that financial institutions, like Bank of America, Citibank, and Paypal (and as a result eBay), have taken notice and are starting to provide more secure ways for accessing their sites. Other companies are stepping up too. Google has incorporated two factor authentication into its Gmail service and Facebook provides a number of opt-in security features, including login notifications and one-time passwords. There are also products that allow small businesses to secure their networks using two factor authentication.
If the thought of yet another security “enhancement” leaves you pining for the simplicity of yesteryears, keep in mind that ALL security measures have felt annoying when they were first introduced, but with ubiquity comes improvements in usability. Eventually we’ll carry one universal security access token or card that allows us to securely login in to all sensitive websites and systems.
In the meantime, get prepared. Before your next trip, give some thought to what sites and services you’ll need to access online while you’re traveling. Investigate whether these companies provide any additional layers of security that can help ensure a safer internet experience (try googling the company’s name + “two factor authentication”). This might involve using your mobile phone to receive a special code by text message (SMS) that you can use to log in or using a specialized app on your iPhone to generate a one-time password.
Here’s a re-cap of the companies I’ve mentioned above that currently provide additional layers of security:
What other precautions do you take online to protect yourself?