Two

Editor’s note: In recognition of World Password Day, CNET is republishing a selection of our stories on improving and replacing passwords.

You’ve probably heard this security advice: protect your accounts by using two-factor authentication. You’ll make life hard for hackers, so the reasoning goes, if you pair a password with a code sent by text message or generated by an app like Google Authenticator. 

Here’s the problem: It can be easily bypassed. Just ask Twitter Chief Executive Jack Dorsey. Hackers gained access to Dorsey’s Twitter account using a SIM swap attack that involves fooling a carrier into switching mobile service to a new phone.

For a broader look, check CNET’s coverage this week about password problems, some fixes like hardware security keys and password managers that you can start using today, reasons why some old password-picking rules are now obsolete and a cautionary tale about what can go wrong with a password manager.

Banks, social networks and other online services are moving to two-factor authentication to stem a torrent of hacks and data theft. More than 555 million passwords have been exposed through data breaches. Even if yours isn’t on the list, the fact that so many of us reuse passwords — even alleged hackers themselves — means you’re likely more vulnerable than you think.

Don’t get me wrong. Two-factor authentication is helpful. It’s an important part of a broader approach called multifactor authentication that makes logging in more of a hassle but also makes it vastly more secure. Like the name suggests, the technique relies on combining multiple factors that embody different qualities. For example, a password is something you know and a security key is something you have. A fingerprint or face scan is simply part of you.

Authentication code interception

Code-based two-factor authentication, however, doesn’t improve security as much as you’d hope. That’s because the code is just something you know, like your password, even if it has a short shelf life. If it’s swiped, so is your security.


Now playing:
Watch this:

In a world of bad passwords, a security key could be…

4:11

Hackers can create fake websites to intercept your information, for example using software called Modlishka, written by a security researcher who wants to show how seriously susceptible websites are to attack. It automates the hacking process, but there’s nothing stopping attackers from writing or using other tools.

Here’s how an attack works. An email or text message lures you to the fake website, which hackers can automatically copy from the originals in real time to create convincing fakes. There, you type in login details and the code you got by SMS or an authenticator app. The hacker then enters those details into the real website to get access to your account.

SIM swapping attacks

Then there’s the SIM swap attack that got Twitter’s Dorsey. A hacker impersonates you, convincing an employee at a carrier like Verizon or AT&T to switch your phone service to the hacker’s phone. Each phone has a discrete chip — a subscriber identity module, or SIM — that identifies it to the network. By moving your account to a hacker’s SIM card, the hacker can read your messages, including all your authentication codes sent by SMS.

Don’t dump two-factor authentication just because it isn’t perfect. It’s still vastly better than a password alone and more resistant to large-scale hack attempts. But definitely consider stronger protections, like hardware security keys, for sensitive accounts. Facebook, Google, Twitter, Dropbox, GitHub, Microsoft and others support that technology today.

Check Also

14 Hidden iPhone Features You Should Really Know About

It’s been over half a year since iOS 16 was released to the general public, yet there always seems to be new features and settings to discover within Apple’s latest iPhone software update. Not all these unexplored features will be as popular as unsending texts and emails or cutting out objects from your photos, but they’re still worth exploring if …

Two

[dzs_video source=”https://video.cnet.com/becee222-97d4-4e24-9ce9-9442a9222e07/nzxt_mic_review_ashley_cnet_720h3200k.mp4″ cover=”https://www.cnet.com/a/img/resize/2fe345df2a902975a99ab6bf393bf9464e854d0e/hub/2018/05/03/09fc26f3-b18d-4400-98e1-98e0c0294936/mirage-jedi-2.jpg?auto=webp&fit=cover&height=482&width=856″ config=”skinauroradefault” width=”100%” height=”600″ logo=”https://joggingvideo.com/wp-content/uploads/tdn_pic_2.png” config=”skinauroradefault” autoplay=”off” cue=”on” loop=”off” type=”video” logo=”0000″ logo_link=”5555″ responsive_ratio=”default” adarray='{{openbrace}}{“source”:”1111″,”time”:”2222″,”type”:”3333″,”ad_link”:”4444″,”skip_delay”:”5″}{{closebrace}}’]

Check Also

The US Is About to Exit a Long Dark Age of Lousy Headlights

[dzs_video source=”https://cnet.redvideo.io/2022/09/16/49769be8-2384-4b14-9e21-dd7391f645d1/adaptive-headlights-4kfinal_720h3200k.mp4″ cover=”https://www.cnet.com/a/img/resize/ddcd07e4d9afd5a49c8fdd756e1fb3514818d952/hub/2022/09/16/eeb958f1-4ba5-41ed-9dee-49607cb78be6/mazda-i-activsense-adaptive-led-headlamps-alh-mp4-00-01-04-10-still001.jpg?auto=webp&fit=cover&height=482&width=856″ config=”skinauroradefault” width=”100%” height=”600″ logo=”https://joggingvideo.com/wp-content/uploads/tdn_pic_2.png” config=”skinauroradefault” autoplay=”off” cue=”on” loop=”off” type=”video” logo=”0000″ logo_link=”5555″ responsive_ratio=”default” …

Two

I faced off with a fellow CNET editor, lightsaber ready. His was ready, too. We stared at each other in our mirror-lensed headsets, and started swinging away. Multiplayer AR, kinda-sorta, has arrived.

Disney and Lenovo teamed up last year to make a Star Wars-themed AR headset toy, Star Wars Jedi Challenges, that uses a phone to project holograms to do battle with in augmented reality. The little Hololens-for-kids kit has had some software updates over the last few months, but it was a single-player experience until today’s newest multiplayer update.


Now playing:
Watch this:

Two-player AR lightsaber battles come to Star Wars: Jedi…

1:01

The two-player mode is more like a rhythm dance-off than a true lightsaber battle: Heads-up commands to swipe, block, or duck are randomly generated. Follow along and match the patterns, and you win. I played a couple of rounds, and it’s pretty much chaos, but fun. (I lost both matches.)

But you’d need two of these not-so-perfect and limited-use AR headsets to play. Lenovo and Disney hint that two-pack bundles might be on their way. At $150 a headset, it better get a discount.

10-the-jedi-lightsaber-star-wars10-the-jedi-lightsaber-star-wars

Two of these headsets is a tall order.


Sarah Tew/CNET

What would really be cool is if these headsets worked together with phones and tablets, so a friend could play next to you on their device while the other counterattacks in AR. The Jedi Challenges phone app already has ARKit support for a free version of Holochess. But right now, phone-to-headset multiplayer isn’t happening … yet. 

For May the 4th 2018, a galaxy of Star Wars toys

star-wars-han-solo-card-gamestar-wars-han-solo-card-game

play-doh-chewbacca-set-oop3play-doh-chewbacca-set-oop3

star-wars-vehicles-podracer.jpgstar-wars-vehicles-podracer.jpg

+44 more


See all photos

Check Also

8 New Google Products We Expect to See This Year

Google’s device line could end up having a particularly important moment in 2023. The company …

Two

As smartphones become more widespread, so does Internet use on cell phones.

According to a new report from Pew Research Center, 63 percent of US adult mobile phone owners use their devices to go online, which is double the amount of cell Internet usage since 2009. And not only are more people surfing the Web and checking e-mail from their phones, but 21 percent of adult cell owners use their smartphone more than a computer to go online.

“A majority of the public now owns a smartphone, and mobile devices are playing an increasingly central role in the way that Americans access online services and information,” Pew Research Center’s Internet Project senior researcher Aaron Smith said in a statement. “For many, such as younger adults or lower-income Americans, cell phones are often a primary device for accessing online content — a development that has particular relevance to companies and organizations seeking to reach these groups.”

Pew estimates that 91 percent of people in the US own cell phones. In 2012, 55 percent of cell owners used their phones to go online and in 2009 only 31 percent did. Now, it appears that the majority of the country goes online with smartphones.

The groups that most access the Internet with their phones include young adults ages 18 to 29 (85 percent), African-Americans (74 percent), college-educated (74 percent, financially well-off (79 percent), and urban residents (66 percent).

While older adults are the least likely to go online with their phones, more people in this age group are now starting to use the Internet from their smartphone.

“Cell owners between the ages of 50 and 64 experienced a larger-than-average 15 percentage point increase in the past year,” the Pew report reads. “Some 51 percent of cell owners ages 50-64 now use their phone to go online, up from 36 percent who did so in the spring of 2012.”

To get its data, Pew surveyed more than 2,250 adults in April and May of this year.

Check Also

8 New Google Products We Expect to See This Year

Google’s device line could end up having a particularly important moment in 2023. The company …

Leave a Reply