Two-factor authentication: A good first step after Heartbleed

Yes, you should switch your passwords for services affected by the Heartbleed security vulnerability. But you can do better than that.

Some of today’s most popular web services let users enable a two-step, or two-factor, sign-on process that can apply an additional layer of authentication by asking for a code from a text message, a smartphone application, or a key fob.

That looks like a brilliant idea now that lots of companies have fessed up about being affected by Heartbleed since media outlets and bloggers first hit their emergency alarms about it.

Grabbing a one-time password off a device other than the main one you’re using in order to log in won’t prevent all risks, but it can make the job harder for people looking to grab key information from you, Paul Ducklin of security vendor Sophos wrote in a post yesterday on company blog Naked Security.

“[W]hile it wouldn’t have made heartbleed less of a bug, it would have made any passwords harvested by means of the bug much less useful, perhaps even useless,” Ducklin wrote.

Indeed, file-sharing company Box is encouraging people to set up two-factor authentication, following its introduction of the feature in 2012.

“If I could ask you to do one thing — turn on two-factor authentication today,” Box security director Joel de la Garza wrote in a blog post on Friday.

He went on to encourage people to use single sign on for Box, too.