What's the Best Way to Protect Your Accounts?

More about two-factor authentication...

I recently wrote about two-factor authentication (2FA) as an important tool for protecting your accounts. It’s not difficult to set up and is very useful where it’s available. The kind of 2FA I described is available on PayPal, for example, and if you use that payment system adding 2FA would help protect your financial accounts. There are two questions you need to answer:

  • Which of my accounts do I wish to protect?
  • How can I best protect each one?

Let’s take those in reverse order to better explain the issue. Very simply, not all accounts offer the type of 2FA I described in the earlier article. Here’s a detailed article that explains how to use 2FA on many of the larger social media and e-commerce platforms. Noticeably absent from that list are most banks and other financial service firms.

Here’s another, more detailed listing of firms that offer additional authentication for their accounts, banks being one category. However, there is something very important about the second list. It includes many types of authentication, not only software tokens like Authy and hardware tokens like Yubikey that I described in the earlier article. Instead, many of them use SMS (text messages) or phone calls. Those are less safe than a separate authenticator (software or hardware token). The reason? If you are already logged into the account you can request the needed code by text or by telephone—no need to give a second piece of information. That’s good protection against automated attacks, but it is no protection against a human actor who already has your data.

Many large banks have built their own proprietary security systems. Many smaller banks use a specialized financial services platform to provide security. Whichever way they do it banks are very concerned about providing what we marketers call “good customer experience.” Put more crassly, financial services can often be complex and confusing. Not asking customers to take an extra step at sign in may be seen as one way to simplify the experience.

It is also true that banks and other financial services firms use many automated security services behind the scenes to protect the safety of customers’ assets and transactions. You would be well advised to read the Security page of each of your financial services accounts and see if you feel satisfied. Then take advantage of the additional steps that are offered, whether it is additional authentication or, more likely, alerts about any type of suspicious activity in your accounts.

Now that you know that this protection is going to take a little effort, we can deal with the first question. I would suggest a three-tiered approach:

  • Any financial services account should be protected in all the ways offered.
  • Ecommerce accounts are also good candidates for protection because you are transacting with those financial services accounts. It is possible for criminals to access your financial services accounts through insecure ecommerce accounts.
  • Do other accounts you use frequently like social media platforms need to be protected with additional verification? If the platform has recently suffered a data breach or if your account has somehow been hacked, by all means add additional verification. Otherwise, read the platform’s Security policies and see if the effort is worthwhile.

It’s too bad that this is not simple—one type of authentication for all your important accounts. Unfortunately, it is not. However, once you understand the principles it is easy and well worth the effort.

Always remember that a password manager is still the best overall protection for your account credentials. Then carefully consider which of your accounts are important enough to warrant additional protection. That’s a good compromise between ease of use and strong protection.

CapeCodToday.com welcomes thoughtful comments and the varied opinions of our readers. We are in no way obligated to post or allow comments that our moderators deem inappropriate. We reserve the right to delete comments we perceive as profane, vulgar, threatening, offensive, racially-biased, homophobic, slanderous, hateful or just plain rude. Commenters may not attack or insult other commenters, readers or writers. Commenters who persist in posting inappropriate comments will be banned from commenting on CapeCodToday.com.