This is the latest installment of our “Ask Wealthsimple” series. Today, our resident security geniuses help you navigate the world of security.
Some people call it two-factor authentication. Or 2FA if you're a security buff. We call it two-step verification because that's what it is and it sounds better! And yes, it's now part of our gold-standard security apparatus at Wealthsimple! All you have to do is turn it on when you're on the app or desktop.
To commemorate the moment, and go kind of deep on what it is and why it matters and share some thoughts about security and your money in general, we wrangled the two most security-minded people at Wealthsimple: Lee Brotherston, Director of Security, and Justin Bull, one of the engineers whose job is building security infrastructure and monitoring outside threats. And we got them to teach us just enough to feel like we're experts, but not so much that we got completely confused.
Congratulations on launching two-step verification for Wealthsimple!
Lee Brotherston: We're pretty excited. Honestly.
Well, you guys are tech security guys. I'm sure it's like how my kids would feel if they got their own bouncy castle. So, to get down to it, I've heard the term two-step verification thrown around. And I'm frankly worried I'm going to fall asleep.
Lee: Look, I know it’s not the sexiest topic.
Justin Bull: Two-step verification is going to help you protect your account, and all the money you have in it. I happen to think enhancing the security of your money is pretty sexy.
So, of course I understand all this stuff completely. But let's pretend I wanted to hear your version. What is two-step verification?
Lee: We want to know that it's really you trying to log into your account. Two-step verification means that you have two different means of proving that it’s you, and not some hacker or scorned ex-roommate. With me so far? Good.
OK, so you have a password for your computer and a code that unlocks your phone, right? That's one step of security. If you want to be secure, you need something more.
That second factor could be lots of things. It's not common, but it could even be something biometric, like a fingerprint or an iris scan. Far more common — in fact, probably the most common — is what's called a verification code. It's a string of digits. Sometimes you can access the code from an app like Authy or Google Authenticator (Android and iOS). Sometimes it's a text message with a code that expires a minute later.
Justin: You should check out the definition from Sideways Dictionary — a fun dictionary that makes tech sound ... less tech-y. They use analogies to define abstract tech terms, and they have a great analogy for two-step verification: the debit card. Think of your password as the "card," and your verification code (we'll explain what that is in a minute) as the PIN. Except that a verification code is way more secure than a PIN, because it changes every minute. So unlike a PIN, even if someone peeped over your shoulder and saw your code, they'd still be locked out if they tried to use the same code later.
Two steps are far more secure — exponentially more secure, not just twice as secure — as just your password.
Is it hard to use? How do I use it?
Justin: All you need to do is turn it on when you log in to your Wealthsimple account. Just follow the super-short setup process on the Settings page of your account. It's under “Passwords and Security.”
Wait, you didn't install this because you got hacked and some poor soul lost every dime in his Wealthsimple account did you? Please say no.
Lee: No! We have not had a single incident. We’re undertaking this to prevent an incident from occurring.
Justin: We brought Lee to Wealthsimple last spring as the director of the security team. And two-step verification was the first thing on our plate. As a new team, this was our first priority.
Are there any other benefits to two-step verification?
Lee: Yes. It's important to remember, this is less about making Wealthsimple hard to hack into, and more about making you hard to hack into.
People re-use passwords, so these breaches are getting more and more common, because people's credentials are being stolen from one site and used to access others. So adding this extra layer should prevent this from being a problem in the future.
Personally, I think the real problem is some people just can’t pick passwords. Buzzybear72 has been my fail-safe on every site I use for years. It's on Netflix, all the usernames for my Stranger Things discussion forums. Pretty good, right?
Lee: There are a few different problems with Fuzzybear72.
It’s Buzzybear, Lee, with a B. Fuzzybear’s a terrible password!
Lee: Okay, apologies. But I’m sorry to say it’s still problematic. First, if you use that all over the place, congratulations, maybe you've been lucky so far. But companies like Yahoo, Snapchat, and Dropbox have all had hacks in the last three years. When people steal the info, those user credentials get dumped somewhere. Once someone knows Buzzybear72 they can start plugging it into all your other sites and log in as you.
Remember this, always. Your password is only as safe as the least secure website it's on.
It seems like passwords are a problem. Are they a problem?
Justin: Yes. The way people use passwords today is highly flawed. It makes sense in a way — people just can't remember a unique password for every service. You're probably not going to make a password that's 48 characters long with brackets and exclamation marks and weird-looking things that make hard-to-crack passwords.
Lee: That's not the only way they can get your password. Have you ever heard of brute-forcing? It's a technique commonly used by hackers — they fire off thousands of different password options over just a few minutes, hoping they'll get the right one. Simple passwords are easier to brute-force. If you can remember it, it’s going to be easy to crack by an attacker.
We encourage everyone to use a password manager like 1Password or LastPass. A lot of people don't listen to our advice, and two-step verification is a fail-safe if someone gets your password. But it's still better to be safe two ways instead of one.
So this “verification code” — how do I know what it is if it keeps changing? Where do I get it?
Lee: Remember: the code is just a way to make sure whoever logs in has one of the physical devices you trust. So we send you a code to one of two ways.
The first option is text message. Buckle up here for a little bit of an explainer. With the text service, only our server knows the right digit combination for your account for that minute in time, which we text to you. Text messages are relatively unsecure in and of themselves. But to use the number, a hacker would need to get your email and password and text messages, and then they'd need to input all that within the same minute you tried to access it.
The second method is more secure, and that's to use an app on your phone — like we mentioned earlier, something like Google Authenticator or Authy. The app stores all the changing codes for each site for which you have two-step verification set up. Using fancy math and cryptographic magic, the generator in your app is able to tell you the same verification code that the server is looking for in that particular minute.
Okay smart guy — what if a hacker steals my phone that’s receiving all those authentication codes?
Lee: First things first. If your account is compromised, or could be compromised, the first thing to do is change your password. In Wealthsimple, this additionally forces all devices to log out of your account.
Meanwhile, if someone has your phone, you have to have trusted the person enough to give it to them or they have to have stolen it. It's a good reason to make sure your phone has thumbprint access and locks itself when you're not using it. If they steal it, odds are you know that it's been stolen and you can have that device's access revoked. When you sign up for Wealthsimple two-step verification, you get a one-time-use recovery code. Write it down somewhere and keep it safe! If a device gets lost or stolen, you can use the code to disable two-step verification. You'll have a clean start — just like changing the lock on your home after a break-in. Then turn two-step verification on again. (If you get confused along the way, we can always help you here.)
Justin: But that's incredibly uncommon. By far the most common way people get hacked is by someone somewhere far away from you and your phone. And two-step verification will protect you from that.
Is this going to make things more difficult? I'm sure my peace of mind is going to make me a tiny bit more miserable.
Lee: First of all, it's your choice. You can turn it on, or not. We believe it's the right thing to do, and a lot of Wealthsimple users have let us know they're very interested in it. But it's not being forced on anyone.
Justin: And you have more options when it comes to how you want to use two-step verification. You can choose to enter the verification code every single time you wish to login. That can get cumbersome, but it provides a higher level of security. Alternatively you could choose to have the app or site remember that particular device for thirty days. That is you letting us know that, for you, a password alone is good enough so long as you're using that exact same phone or computer. And when that 30 days is up, you will verify your device again.
Lee: It's not so hard. And well worth it.
Wealthsimple makes smart investing simple and affordable.