The growing trend in sites adding two-factor authentication to their log in process has many feeling more secure in their social media and other online interactions.
With passwords being easy to compromise with phishing attacks, many users have been hoping for something more secure. Two-factor authentication gives a double protection on your account, requiring you to know something (your password), and have something in your possession (a token). The token can be any number of devices, cards or other physical items, often generating unique codes as proof you have the object. Think of ATMs. You need to have the ATM card (the token) and know your PIN in order to access your account and do any transactions at the ATM. One without the other and you can’t get in.
LinkedIn is using a single-use code sent via SMS to whatever mobile number is listed on the account. Your mobile device serves as your token. This code is entered into the site after you enter your password to complete the two-factor authentication. The idea behind this is if your password happens to be cracked or phished, as long as you don’t lose or compromise your phone, you are still safe from attackers logging into your account (though you should change your passwords and do a virus scan to be safe if your password gets compromised!).
Want to enable this security feature for your own LinkedIn account? LinkedIn provides some instructions here: http://www.slideshare.net/linkedin/two-step-verification-on-linked-in.
Many other sites have similar security features so check out your account settings and give yourself an extra layer of protection.
As with any security chain, there are ways this could possibly be compromised. The easy way is if an attacker knows your password and stole your phone. A more sophisticated way is if you get phished for both your password and the code just sent to you, and the attacker users both before the code expires. How likely could these happen? Well that’s up to your security prowess. Read more on our website about creating secure passwords (https://www.rit.edu/security/content/password), avoiding phishing attempts (https://www.rit.edu/security/content/phishing) and best practices when it comes to mobile device security (https://www.rit.edu/security/content/mobile-devices).