Amazon now let you secure your account with Two-Factor-Authentication (2FA). This means you can log on with a one-time password which changes every minute. For some reason, Amazon call it Two-Step-Verification (2SV) – but it is exactly the same as all the other 2FA solutions.
There’s no direct link to 2FA settings. So the process is slightly convoluted. Assuming you are signed in to your Amazon account, you need to
- Go to https://www.amazon.co.uk/your-account
- Click on “Login & Security Settings”
- Then “Advanced Security Settings”
You can now start to add 2FA to your account.
If you can’t install apps – or just don’t like them – you can get your code delivered to you via SMS.
Let’s ignore the American number formatting (555!) – is an SMS code sensible?
- SMS works everywhere, even on the dumbest phone.
- No app needed.
- Swap your SIM to a new phone and have instant access.
That last one is the biggest weakness. It is terrifyingly easy for a scammer to ring up your phone company and get your number swapped to a new SIM. If a scammer wants the codes off your app they have to physically steal your phone and then unlock it (you do have a secure password, right?). With SMS, all they have to do is convince some hapless call centre worker that you need your number transferred.
There’s also the little matter that SMS isn’t encrypted – but if the security services desperately want access to your Amazon account, I’m sure they have their own means.
Far from being a scrappy start-up, Amazon is now a maze of interconnected legacy systems. There are several ancient services with Amazon can’t or won’t update. This means they don’t get 2FA support.
This is a problem which I recently encountered with PayPal. Old apps don’t support new security – weakening the usefulness of security for everyone.
Of course, there’s no mention of which apps don’t support 2FA. Their proposed solution of sticking your 2FA code to the end of your password is… interesting. It implies that if the system doesn’t recognise your password decrypted password, it will split it in two and try it again. I wonder if that leaves them open to subtle timing attacks, or any other issues?
The point of 2FA is that you use it everywhere – otherwise you’re introducing a weak point in your security. Amazon will happily let you turn off 2FA on specific devices.
I can kinda see their reasoning. It is annoying to be forced into using the 2FA on your regular handset. But that’s also the point. Making it slightly harder for us makes it extraordinarily hard for an attacker.
Despite these shortcomings, I urge you to switch on 2FA. Amazon holds a surprising amount of your personal data – and the consequences of your Amazon account being hacked can be dire.
There are hundreds of sites which support 2FA. You should make sure you use it wherever possible.