Thursday, December 24, 2015

Should you turn off multifactor authentication before traveling overseas?

It's Christmastime, that time of the year when many folks take advantage of time away from work and school to travel. As a travel tip, the Australian government's online services website, myGov, put out a recommendation this week that made security professionals worldwide cringe.

Why do we cringe? My peers and I have spent the last couple of years promoting the use of two-factor authentication - a way of securing your accounts so that a stolen password is not enough for a criminal to break in.

With traditional password-based security, if a crook steals your password through malware, or tricks you into telling him your password through a clever phish, they have all they need to log in as you and take control of your account. Two-factor or multifactor authentication (sometimes called 2FA or two-step verification) adds a second element, often a code provided by an app on your phone or sent to you via SMS (text messaging).

With 2FA, a crook has to both steal your password, and have access to your phone. While it is still possible for a determined crook to break in, it makes things exponentially harder - enough so that more often than not, the attacker will leave you alone and go after easier prey.

So why would you ever want to turn this off?

Well, there is actually a good reason in certain cases. Multifactor authentication can be set up in a few different ways. One method is by using a code generating app on your phone - Google Authenticator is a common choice. Facebook provides a similar capability through their own Facebook mobile app. In both cases, your phone can provide you with the second factor without any dependency on cellular or data service.

Other websites - such as myGov - send you a code via text messaging. This works fine if you are using your phone in an area where you have service. It becomes complicated though if you are trying to login on an airplane, or in a different country where your mobile service is either unavailable or highly expensive.

In many cases, multifactor authentication is only required the first time you log on from a particular device. Once you have logged in and told the website that you own the device, the website will recognize the device and only require a password for future logins. That is not always the case though.

Security For Real People is about practical advice you can actually use. Where others have said only that myGov is offering bad advice, I take a different approach. Turning off two-factor authentication might make sense in some cases.

Start by looking at which (if any) services you might be unable to use if your second factor is unavailable. If you do have any, carefully consider whether the risk of your account being stolen while you are on vacation is worth taking.

I would never even consider turning off multifactor authentication for my email or my banking accounts. I might consider turning it off for websites related to my travel itinerary. Government services? I'd think long and hard about that one: myGov includes the Australian taxation office, Medicare, eHealth records, and a number of other things that could be very useful in the wrong hands.

The bottom line? Think about what you would miss out on if you could not log into an account because SMS is unavailable, and decide for yourself if it is worth taking the risk that your account could be hacked if you turn off 2FA. And if you decide it is worth the risk, be sure you turn it back on when you return home!

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen