Someone got into my LinkedIn account twice in the past two months.  Even with changing passwords, I was failing to prevent whomever from accessing my account — and coming up with their own passwords consequently locking me out. 

The only practical method I found for preventing hackers, was adding a two-step verification on LinkedIn. I then added 2FA on some other online platform accounts.  However, that approach comes with its own problems.

Google pop-up requiring password entry.

Google pop-up requiring password entry.

I know I’m not alone – my mom, for instance, had a similar experience with her email account.  She realized she wasn’t getting emails.  So, she too began changing her password only to find out someone had already figured out how to get around her attempts of locking down the account. (READ: Changing passwords is not an ideal remedy – for so many reasons.).  In her case, a scammer defeated her password by redirecting all copies of her emails to their own personal email account (a hard-to-find forwarding toggle on her Internet provider’s settings.  The bad guys then used the emails intended for her to send automatic replies asking for money.

In my case with LinkedIn – a Microsoft subsidiary – as soon as I changed my password, some hacker went in and changed it again (who knows how?).  Beyond that, I have found no other consequences from the hack.  

The problem is only partly due to cunning hackers – it’s more so that service providers have yet to develop reliable ways for keeping its users safe while on their platforms. 

When I added two-factor identification to LinkedIn two things happened. On the one hand, I was notified every time someone tried to access my account – “Was that you?”  On the other hand, it became a chore using 2FA.  Each time I logged in, I needed a smart phone and a computer by my side, at minimum, both with working Internet service. 

Google's 2-Step Verification page direct.

Google pop-up requiring password entry.

Especially concerning is the fact that, for the most part, carrying out 2FA attacks does not require a great deal of skill or effort from hackers,” according to New York City-based SecurityScorecard. “These kinds of attacks are often carried out by novices, so organized crime syndicates and nation-states with considerable resources pose an even more serious threat.”

Microsoft acknowledges some problems with its 2FA in connection with requiring a mobile phone to retrieve security access codes. These include: some workplaces and schools restrict workers and students from bringing in mobile phones; also, at times mobile phones are lost; plus, traveling overseas can be a barrier to receiving codes through texts.  In these cases, Microsoft suggests – on a support page – that users turn off the feature or even add another verification method.

Google, the largest Internet search company, employs a two-factor authorization that relies on emails, texts, and other platforms it owns.  Even, perhaps, more frustrating Gmail passwords seem to require frequent changing, at least I have found, so I’m constantly concocting new ones.  With 2FA activated, Google sends out a code that then requires some other verification. Just recently, I was directed to YouTube on my iPad, which I didn’t have with me at the time. When I did get on to YouTube a little later, I was confronted by nearly a dozen ads on my homepage, where I had to then find a little button to acknowledge it was me.

List of attempts to reset passwords during the past six months.

List of attempts to reset passwords during the past six months.

“2FA is far from perfect,” according to ScoreCard.  “Many users report that the additional hurdles of two-factor authentication are overly inconvenient, which can cause annoyed users to cut corners and take shortcuts that make the system more vulnerable.” 

The larger issue, I believe, is how to improve ways of connecting users, their devices and service provider platforms.  From my perspective, constantly changing passwords or using 2FA is insufficient.  One solution may be to notify users when there are suspicious log-ins, such as from an unfrequented location or unfamiliar DNS.  My bank, for instance, asks my permission to pay vendors when the requests are outside my typical habits and behaviors. 

Meanwhile, others have called on service providers to implement biometric authentication, which involves verifying the users’ identity versus identifying their devices or verifying passwords.  While perhaps implementing biometrics is a step beyond where we are today, the general idea is to shift away from emails and texts with codes to establish oneself, or codes and instructions to reset passwords – to simple ways of proving oneself — which I thought was where this was going a few years back with personal questions like the one below!  

I still don’t have an answer to this security question- Who was your favorite teacher growing up?!

For more articles like these, consider signing up for ISDI’s helpful newsletter – Service Design Digest