You should be using Two-Factor authentication (2FA). If you aren’t, let’s dive into what this all means, why you should do it, how to get going, and a word of caution.
First off, 2FA sounds complicated and it actually is pretty straightforward. This article unpacks some of the complexity and what you can do right now to increase your personal security.
In short, 2FA is using two separate ways to confirm your identity when logging into systems. It is this combination that makes accessing your information secure.
When you use Two-Factor authentication (2FA), you protect your personal information, accounts, and data.
Why is this important?
If you are new to 2FA, this is understandably confusing, sounds like extra effort, and furthermore…..why care? You have a strong password that’s unique for each system and you have a password manager.
You should care because it is the best way to reasonably protect your information. Most importantly, your email account needs this protection. You use your email account for bank access, bills, mobile phone account, electricity, and much more. Typically if you forget your password to any of these systems, you reset your password by sending a link to your email. If someone gains access to your email, the damage can be severe and painful. They could gain access to all of your accounts, regardless of how great your passwords are. You should be protecting all of your financial information with 2FA as well just in case your password information is compromised.
If you rely on SMS or a similar second authentication tool based on your phone number, you should stop. Gaining access to your mobile phone account is not terribly challenging and the attacker could gain your credentials by simply having your calls routed to them instead of you. Just look at this example of where experts at Cloudflare fell victim and caused impacts to their customers. Furthermore, people seem happy to share their ‘super strong’ methodologies for generating ‘super secret’ passwords and just telling people their passwords when asked.
Bottom line – protect your email to protect everything else. Just do it.
What is Two-Factor Authentication (2FA)?
Now that you are on-board with why it is important, let’s review what 2FA is.
The goal of any authentication tool is to demonstrate that you are the person you are attempting to log in and identify yourself as. There are four commonly accepted types of authentication:
- Knowledge – What you know (like a password)
- Possession – What you have (like a phone)
- Inherent – Something you are (like face ID)
- Location – Ability to identify your location (GPS at home)
If you have just a password (even a great strong one), this is just the first (and most common) one. If you add something else, then you get your second factor. There are many ways to achieve this and some better than others.
Most websites that have implemented 2FA called Time-Based One Time Password (TOTP) or Push-Based. The former has become very common. This can usually be recognized on the site as being Authy or Google Authenticator supported. It typically is accompanied by a QR code for you to scan on your phone. This process generates a six-digit numeric token that is valid for 30 or 60 seconds based on a secret and the time. The pushed-based solution typically requires an app specifically for that site. Google and Microsoft authenticators are examples of this type of secondary authentication.
How do you implement it now?
To securely implement 2FA, you need an app that supports 2FA. There are hardware tokens and other tools, but let’s get started with solutions you can implement today. If you choose to try hardware-based solutions, that’s awesome. I personally prefer not having to keep up with yet another item in my pocket I need to keep everywhere with me.
Assuming you carry a smartphone, having an app is as convenient as it gets. Most of the apps do the same thing and some with critical features you will want. Here are the common ones with my recommendation and why.
Authy (iPhone link | Android link) This app clearly stands above the others as the security model and data restore options are superior to the other options. The backup encryption methodology is documented here and is impressive. It is also easy to restore your tokens if you need to. This is a key feature as if you lose your phone or its data, getting those tokens back is critical. It also has a desktop version as well which is a welcome feature for some. You can disable this feature if you don’t want it. I’m not the biggest fan of the interface. You have to tap on a site to see the code. | ||
Microsoft Authenticator Also my favorite. I have this anyway for 2FA for Microsoft logins as it supports Push-Based 2FA, so when I log in to a Microsoft application, it just pushes a notification to my phone, and I just press login on that notification. It is super convenient. I like this interface better than Authy as well. Just open and you can see all of your codes. it also will backup to iCloud and that’s super important. That said, if you are going to go through the trouble of 2FA, you want it to be absolutely secure. Using your Microsoft account for account recovery is a weakness and is easier to compromise than the Authy account recovery method. | ||
Google Authenticator Google does so many things right, I am somewhat baffled at how bad it is and how often it is recommended. I can’t possibly recommend it as there is no way to back it up. Furthermore, being tied to your google account has the same weakness as the Microsoft option. | ||
LastPass Authenticator This one is the worst. Lastpass correctly decided to have a separate application to store 2FA tokens. However, the password is the same – which defeats the purpose of having them separate to begin with. I hope Lastpass changes this model, but I can’t see anyone recommending this anytime soon till that changes. That said, someone might see this as a convenience feature so I have it here. |
Duo and other apps didn’t make the list as they have sufficient deficiencies that put them completely out of consideration.
There is one more option for those Android folks out there called andOTP which is open-source and looks as strong as Authy, I just roll with an iPhone so I can’t test it.
How to actually use 2FA apps
Where to start?
- Download one of the apps above,
- Visit the website/service/system you want to secure
- Login as normal
- Typically you will find 2FA options under your profile in login or security
- Look for the option 2FA, “two-step”, MFA, or “Authenticator app”
- Open the app
- Find and scan the QR code (or enter the secret manually)
I recommend securing your email account first. For Gmail (instructions), you can either use the 2FA token approach using Authy or you can use their own push option (or both). I recommend just using Authy, so if you are unsure start there. Next start enrolling your financial accounts.
To see if your service offers 2FA security and specific instructions, you can visit 2FA directory. It is a great resource.
Password apps also have 2FA built-in
Some password apps like Bitwarden have 2FA built-in. I recommend securing your most critical items in Authy or other standalone 2FA app. You will need one o the dedicated 2FA apps anyway as you will want to have your password manager app have a 2FA requirement to gain access. The token for your password generator can’t be in the app it is protecting (that would be like storing the keys to the safe – inside the safe). Put your email, financial, and other critical system access in the standalone 2FA app. That said, generate and store all the other items like shopping sites in your password saver. This is an extra layer of security in case your password is compromised. Note, this is a bit like having your ‘all your eggs in the same basket’ kind of situation. It is still superior to just having a password.
A word of caution
When you set up 2FA, you will typically receive ‘backup codes’ or ’emergency access’ information. Make sure you save that information in a safe place. I recommend either printing out these codes and storing them physically or save them as files on your computer in a secure (read – encrypted) location. If you lose this information and you lose access to your 2FA information, you will face challenges to access your accounts again.
Get started now! Secure your access to your accounts and sleep easier knowing your most important data is more secure now.
Also of note, I’m not getting referral cash or sponsored by any of these applications in any way.
One Reply to “Two-Factor Authentication (2FA) – what to do and why”