LinkedIn flips the two-factor authentication switch

LinkedIn flips the two-factor authentication switch

LinkedIn hackHappy anniversary of getting the bejeezus hacked out of you, LinkedIn!

Maybe the timing is just a coincidence, but the career-toned social networking site got savagely hacked on 5 June 2012.

Cybercrooks stole about 6.5 million passwords, over 60% of which were cracked within the span of one measly day.

The attack resulted in a variety of nastiness, including a pump-and-dump stock scam and a $5 million class action lawsuit (dismissed in March).

On Friday, very close to one year later, LinkedIn announced that it’s now offering two-factor authentication (2FA).

Following in the footsteps of Twitter, which turned on 2FA in May, LinkedIn is now giving users the option of using something stronger than a password and user name to protect their accounts.

2FA, aka two-factor verification, requires users to type a numeric code when logging into their accounts from a new or unknown computer or device for the first time. LinkedIn sends the code to users’ phones via SMS.

LinkedIn 2FA

LinkedIn points out that when 2FA is enabled, it’s more difficult for attackers to breach your account, given that they need both your password and access to your mobile phone to do it – i.e., two factors.

Not that 2FA is a surefire way to keep your LinkedIn account from getting hacked, mind you. Securing your account depends, as well, on how vulnerable you are to phishing attempts, which can result in man-in-the-middle attacks.

As Graham Cluley noted when Twitter turned on 2FA, the extra security won’t help in the event of a man-in-the-middle attack, which could intercept the six-digit passcode, along with your account password and user name, be it Twitter or LinkedIn or fill-in-the-blank online service.

That means we should all be double-checking that when we enter all those login crown jewels, we’re really on the genuine, secure https LinkedIn site.

LinkedIn offers both the option of using a secure connection to browse, alongside the toggle to turn on 2FA – both features offered under your account’s security settings.

When you turn on 2FA in LinkedIn, just make sure that the secure browsing box above it is checked as well.

LinkedIn security settings

This is a good move on LinkedIn’s part.

Lord knows that users need something stronger than passwords to protect them.

As Sophos’ Chester Wisniewski noted the day after the LinkedIn hack last June, SophosLabs determined that all but two of the passwords used by the Conficker worm to spread through Windows networks were used by someone in the 6.5 million user password dump.

Will those who used already-abused passwords be savvy enough to turn on 2FA?

Let us pray.

And, perhaps, nag, wherever nagging may pay off.

If you want to learn more about two-factor authentication, listen to the great TechKnow podcast that Paul Ducklin and Chet Wisniewski recorded on the subject earlier this year:

Listen now:

(15 April 2013, duration 16’25”, size 9.9MBytes)