This form of authentication combines something you know — the master password — with something you have, like a mobile phone or a hardware token. The most common implementation of second authentication factors are one-time-use codes that are received via text messages or generated using special mobile applications like Google Authenticator. Fortunately, most of the popular cloud-based password management services currently offer some form of multi-factor authentication, but it's best to double-check before choosing one.
Two-factor authentication prevents attackers from accessing a user's password vault from a different computer or device by using a stolen master password. However, they could still use an existing malware infection to piggyback on a user's active password manager session and access their online accounts via the local browser, especially if the auto-login option is turned on. Auto-login features may be convenient, but can also be fraught with peril. Users should think carefully about whether they want to activate them.
It's also best to use password management applications that can automatically log off the user after some time of inactivity, especially if the browser is kept open for long periods of time or if someone else might have access to the computer while the user is away. This might not always protect against active malware on the computer, but it does add another layer of security.
Users may also be tempted to flag a device as trusted. Many password management applications offer an option of skipping the second authentication step in the future on a given device once they've completed a two-factor authentication with it. While convenient, this method assumes an attacker will never gain control over that device, which is not always the case, so users should carefully consider whether they can live with inputting the second factor every time.
Don't rely just on a password manager
One of the primary benefits of using a password management application is that it allows the use of different complex passwords for every account without having to remember them all. However, it's equally important for the user's master password to be strong so that it can resist brute-force attacks.
Users who find it hard to remember complex passwords that include digits, lower-case and upper-case letters and even special characters, should try using long pass phrases as their master passwords instead. These are sequences of random real words that make up hard-to-guess phrases and provide the same or even better level of protection against brute-force attacks as a strong password, but are easier to remember. Pass phrases can also be used for critical accounts that need to be accessible even if when the password management application or server is unavailable for some reason.Finally, many of the largest online services, such as Facebook and Gmail, are now offering two-factor authentication themselves, so even if you're using a password manager and follow best security practices in general, turn on two-factor authentication whenever it's available. It can make a really big difference, especially if your password manager does get compromised.
Sign up for Computerworld eNewsletters.