Latest news with #multifactorauthentication
Fast Company
13 hours ago
- Fast Company
Those security codes you ask to receive via text leave your accounts vulnerable. Do this instead
Do you receive login security codes for your online accounts via text message? These are the six- or seven-digit numbers sent via SMS that you need to enter along with your password when trying to access your bank accounts, health records, online photos, and more. This type of security is known as multifactor authentication (MFA) and is designed to keep your account secure even if someone knows your password. Without the additional security code, bad actors can't gain access to your data. Or at least that's the idea. It's increasingly becoming evident that security codes sent by text message may leave our data less secure than we thought. Fortunately, there are other, more secure ways to keep your accounts safe. Here's why it's probably a good idea to stop using SMS for your security codes, and what you can use instead. An opaque security code industry You may think that the text message you receive with the code you need to log into your account is coming from Amazon, Google, Meta, or whoever provides the service you are logging into. But it's probably not—and therein lies the security risk. Bloomberg and Lighthouse Reports just released an alarming report revealing that some of the most prominent tech companies recommending that users enable multifactor authentication—including Amazon, Google, and Meta—have used third-party companies to send their security codes to users via text. Some of these third-party companies have been linked to institutions in the surveillance industry and even government spy agencies. Additionally, some of the security codes that these third-party companies were responsible for transmitting have been associated with data breaches of individuals' accounts. Worse: the intermediaries operating in this space do so with little oversight from their tech giant clients or regulators. And Bloomberg and Lighthouse Reports' piece isn't the first to warn about the vulnerability that texted security codes expose users to. In December, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to the public, urging people to migrate away from receiving security codes via text. 'Do not use SMS as a second factor for authentication,' the CISA's memo warned. 'SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them.' But this vulnerability in texted security codes doesn't mean you should revert to using merely a password to access your accounts. Instead, you should consider a superior form of multifactor authentication—or upgrade to passwordless logins entirely. Get your security codes from an authenticator app instead Some websites and services are stuck in the past when it comes to multifactor authentication. That is, these websites do offer their users MFA, but only give the option of receiving security codes via text message—something the U.S. Cybersecurity and Infrastructure Security Agency now warns against. Thankfully, plenty of websites offer a more secure way to receive security codes: via an authenticator app. Simply put, an authenticator app is an application that resides on your phone or computer, storing all the various security codes for your online accounts that have multifactor authentication enabled. The code for each account in the authenticator app is unique, and it changes every 30 seconds. When you need to log in to a site that you have set up with multifactor authentication, you'll be prompted to enter your security code, which can be found in your authenticator app. And since these authenticator app codes always reside on your device, they can never be intercepted in transit, because they are never sent to you in the first place. Regardless of whether you use Windows, Mac, iPhone, or Android, you have numerous authenticator apps to choose from. These include Apple's own Passwords app, Google Authenticator, Microsoft Authenticator, LastPass Authenticator, and more. Even better, start using passkeys While authenticator apps are vastly more secure than text messages for getting your security codes, the safest login method no longer relies on codes—or even passwords—at all. I'm referring to passkeys, the passwordless login technology spearheaded by the FIDO Alliance, a consortium of tech companies including Amazon, Apple, Dell, Google, Meta, Microsoft, NTT, Samsung, and others. Passkeys are cryptographically complex from a technology perspective, but easy to use from a consumer perspective. When you add a passkey for one of your online accounts, you get one digital key, saved to your device, and the website gets a matching key. When you log into that website, the passkeys must match; otherwise, you won't get access to the account. You verify that you are the true holder of your passkey by confirming your identity with your biometrics—a facial or fingerprint scan, right from your phone or laptop. Passkeys can't be phished or guessed. And if one of your passkeys were stolen and put on someone else's device, it wouldn't work either. That's because the thief couldn't fool the passkey into thinking they were you since they don't have your face or fingerprint. And because passkeys don't require any alphanumeric input authentication—such as security codes—there's no code you need to worry about either. Passkeys are also synced to the cloud via your device's password manager, so if you lose your device, you can quickly regain access to all your passkeys from your, for example, Apple or Google account. The only drawback to passkeys is that not all online accounts support them. Still, each month, more and more sites are offering users the option for passkey logins. However, if your accounts don't support passkeys yet, you should still enable multifactor authentication. Just remember to opt to receive your security codes via an authenticator app rather than a text message.
Yahoo
a day ago
- Yahoo
What to know about online passwords after a massive breach
An alleged breach of 16 billion passwords including some for Apple, Google and Facebook accounts has cybersecurity experts warning people to change your passwords and stop recycling them. They say using the same password on every site is dangerous because of what hackers can do if the info leaks just once. Multifactor authentication, password managers and passkeys are options for those seeking additional security. (June 20, 2025)
Yahoo
a day ago
- Yahoo
Newsroom Ready: What to know about online passwords after a massive breach
An alleged breach of 16 billion passwords including some for Apple, Google and Facebook accounts has cybersecurity experts warning people to change your passwords and stop recycling them. They say using the same password on every site is dangerous because of what hackers can do if the info leaks just once. Multifactor authentication, password managers and passkeys are options for those seeking additional security. (June 20, 2025)
WIRED
26-05-2025
- WIRED
A Starter Guide to Protecting Your Data From Hackers and Corporations
Matt Burgess Sophie Johal Michaela Neville May 26, 2025 6:30 AM Thinking about where to start when it comes to protecting your online privacy can be overwhelming. Here's a simple guide for you—and anyone who claims they have nothing to hide. Photo-illustration: Anjali Nair; Getty Images With President Donald Trump's return to the White House and the US government's digital surveillance machine more powerful than ever, digital privacy should be top of mind. But the digital security world can be confusing—and there's the larger question of why. You may think, if I'm just a regular person, why is my digital privacy important? Then there are the practical questions. What's the best password manager? How can you keep your digital life under wraps at the border? And what kind of VPN should you be using? Is AI scraping my data? WIRED senior writer and security expert Matt Burgess spoke with readers in a Reddit AMA this month about the basics of keeping your digital footprint locked down. Here's what to know and why it's important. What is your advice for a quick win in terms of improving digital security for the everyday person? Or for someone who isn't tech-savvy? I think the one big thing people can do to improve their security is make sure that multifactor authentication is turned on for as many online accounts as possible. That way if anyone gets access to your password or login details, they'll also need to have another way to authenticate the login attempt (such as the codes generated by an authentication app), and it's highly unlikely that hackers will have access to that. Other quick and relatively straightforward changes you can make are to use privacy-friendly browsers and search engines and to use a password manager (the one on your phone or browser is better than nothing at all) and create unique passwords for each service you use. There are so many privacy tips out there, and it all feels important, but trying to do everything at once can be overwhelming. What are the things people should prioritize when making changes to their online habits? Improving privacy is something that's ongoing, and if you try to do everything at once then it's too off-putting. Take it one small step at a time. If I was starting now, I'd go with: Switching to a more privacy-focused browser. I alternate between Brave, Firefox and Safari. Then using a privacy-focused search engine too (such as DuckDuckGo). Trying to use services that minimize data collection (for instance, messaging app Signal doesn't collect user data and is the gold standard of end-to-end encryption). What's a good non-US-based VPN? Our favorite VPN at WIRED is currently Proton VPN, which is based in Switzerland. Proton VPN also offers the best free VPN. Unlike most services, ProtonVPN's free version gives full access to all the regular plan's features. It is limited to a single device, and there are only three server locations (Japan, Netherlands, and the US), but everything else is the same. If your needs are limited and you want to keep costs down, this is a good option. See our full guide to VPNs here. How do I deal with having to have a new account for every service and website? Should I be using new email addresses? A new email address for every account is a big undertaking! I'd recommend having an email address for the accounts that are most important to you and then having one that you use to sign up for things that are less important. There are also services that will let you create 'burner' emails that you can use to sign-up with services, and if you use an Apple device there's a 'Hide My Email' setting. What tips would you offer to those looking to keep their digital privacy while crossing the US border (or otherwise entering or exiting the States)? It really depends on what levels of risk you as an individual could face. Some people traveling across the border are likely to face higher scrutiny than others—for instance nationality, citizenship, and profession could all make a difference. Even what you've said on social media or in messaging apps could potentially be used against you. Personally, the first thing I would do is think about what is on my phone: the kind of messages I have sent (and received), what I have posted publicly, and log out (or remove) what I consider to be the most sensitive apps from my phone (such as email). A burner phone might seem like a good idea, although this isn't the right idea for everyone and it could bring more suspicion on you. It's better to have a travel phone—one that you only use for travel that has nothing sensitive on it or connected to it. My colleague Andy Greenberg and I have put together a guide that covers a lot more than this: such as pre-travel steps you can take, locking down your devices, how to think about passwords, and minimizing the data you are carrying. It's here. Also, senior writer Lily Hay Newman and I have produced a (long) guide specifically about phone searches at the US border. Would you recommend against having a device like Alexa in your home? Or are there particular products or steps you can take to make a smart device more secure? Something that's always listening in your home—what could go wrong? It's definitely not great for overall surveillance culture. Recently Amazon also reduced some of the privacy options for Alexa devices. So if you're going to use a smart speaker, then I'd look into what each device's privacy settings are and then go from there. How do you see people's willingness to hand over information about their lives to AI playing into surveillance? The amount of data that AI companies have—and continue to—hoover up really bothers me. There's no doubt that AI tools can be useful in some settings and to some people (personally, I seldom use generative AI). But I would generally say people don't have enough awareness about how much they're sharing with chatbots and the companies that own them. Tech companies have scraped vast swathes of the web to gather the data they claim is needed to create generative AI—often with little regard for content creators, copyright laws, or privacy. On top of this, increasingly, firms with reams of people's posts are looking to get in on the AI gold rush by selling or licensing that information. For the everyday person, I'd warn them not to enter personal details or sensitive business information! We also have a more thorough guide here. Are personal data removal services worthwhile, or are they just another vector for data thieves? Whether data removal services are worthwhile or not probably depends on where you are based in the world: I'm in Europe where there's GDPR and stricter privacy laws, and when I have used a data removal service, it hasn't turned up too much. But in the US, there's no comprehensive federal privacy law—that really should change—and they may be more useful. Much of what can be done by data removal services, you can also do yourself. Consumer Reports recently did a good evaluation of data removal services. What is your preferred response for people who claim they have nothing to hide? I think in a lot of cases when people claim they have nothing to hide, they often jump to thinking about illegal or malicious things. When in fact, privacy, for me, isn't about 'hiding' things at all. You should be able to have the space—both in the physical and digital world—to not be surveilled or have your actions tracked. People should be able to act without intrusion from others—that doesn't mean you're hiding anything, but you just don't want to share everything you do with everyone (or anyone). And really that's why privacy is considered a fundamental human right. I actually like a lot of the answers that people sent in to Amnesty International about how they respond to the point of 'not having anything to hide.' With files from Scott Gilbertson.
