Yes, you should switch your passwords for services affected by the Heartbleed security vulnerability. But you can do better than that.

Some of today’s most popular web services let users enable a two-step, or two-factor, sign-on process that can apply an additional layer of authentication by asking for a code from a text message, a smartphone application, or a key fob.

That looks like a brilliant idea now that lots of companies have fessed up about being affected by Heartbleed since media outlets and bloggers first hit their emergency alarms about it.

Grabbing a one-time password off a device other than the main one you’re using in order to log in won’t prevent all risks, but it can make the job harder for people looking to grab key information from you, Paul Ducklin of security vendor Sophos wrote in a post yesterday on company blog Naked Security.

“[W]hile it wouldn’t have made heartbleed less of a bug, it would have made any passwords harvested by means of the bug much less useful, perhaps even useless,” Ducklin wrote.

Indeed, file-sharing company Box is encouraging people to set up two-factor authentication, following its introduction of the feature in 2012.

“If I could ask you to do one thing — turn on two-factor authentication today,” Box security director Joel de la Garza wrote in a blog post on Friday.

He went on to encourage people to use single sign on for Box, too.

VentureBeat

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more
Become a member