Personal Security for the Savvy (or not) Executive #2 - Two-Factor Authentication

Once upon a time, people used only passwords to access their accounts. In most cases they would be a single word.

Soon security became an issue and people would use different methods to obscure their passwords, such as adding numbers or special characters to make it harder to guess.

Today, people generate fully-random passwords by way of password managers. That sounds like it should be enough right? Nobody is going to guess my 16 character fully random password!

Sadly, no. Malicious criminals employ many different tactics in order to try and get unauthorised access to your accounts, these include methods such as:

  • Password Spraying, they try a single password over thousands of accounts in hope of finding people who use that password
  • Phishing, they send you emails pretending to be the service in order to trick you into entering your password
  • Malware, malicious software on your computer captures your credentials

"So you're telling me that a really good password isn't enough to stop attackers getting in? What can I do? This sounds like a losing battle."

It may feel that way, but there is a solution, and if used correctly it isn't annoying or time consuming given the peace of mind it provides.

Introducing Multi-factor Authentication (MFA)

Multi-factor authentication works on the premise that you need multiple-factors in order to gain access to your account, or to prove your identity.

Prevailing methods of MFA typically use one or more of the following:

  • Something that you know
  • Something that you have
  • Something that you are

For example, you likely already use some of these:

  • A Password (Knowledge factor)
  • Your fingerprint or face (Inherence factor)
  • A Two-Factor code generator, or an SMS code (Possession factor)

Today we're going to be discussing how to add another factor to your security-toolkit, Two-Factor Authentication.

Two-Factor Authentication (Or 2FA for short), will come in one of the following forms:

  • A one-time code texted to your phone number when you login.
  • An app you install on your phone, that generates random codes every 30-60 seconds.
  • An app that prompts you to click "OK" when you login.
  • You insert a USB key into your USB slot, and you press a button when the website prompts you.

Unknown to many, 2FA is available on most public websites today, examples such as: Google, Facebook, Microsoft 365, Dropbox, iCloud and many others.

Generally speaking, 2FA will keep criminals and malicious attackers out of your personal and work accounts even if they succeed in stealing your password.

2FA comes in many forms, don't let the jargon scare you into never using Two-Factor authentication, it could save your accounts; and even all your personal information one day.

Jargon Buster

  • 2FA - Two-Factor Authentication, you need two factors, your password and a unique code.
  • OTP-2FA, this stands for One Time Password, Two Factor Authentication. Apps like Google Authenticator or Authy use these methods.
  • U2F-2FA, this stands for Universal Second Factor, Two Factor Authentication. An example of this is a Yubikey, seen below.

How to use OTP-2FA

First, install an OTP app. You can use either Google Authenticator or Authy, both are great apps that are cross-platform. Keep in mind that if you use Google Authenticator, you will not easily be able to transfer your codes from device-to-device.

While some may say this is good for security, it can also make things quite awkward when you need to change your device (or if you lose your phone).

Using Authy

First, install the app. The method will depend on whether you use Android or iOS. Next, you'll want to use one of the following guides to get up and running.

The general workflow is usually:

  1. Scan a QR code from your web-account using your Authy App
  2. Save it on your phone and enter the code provided by the app into the account prompt
  3. Click OK on the account prompt.

Easy as that! Once you've setup 2FA with Authy, every-time you login you will be prompted for a code from your app. A new random code will appear every 60 seconds for each of your setup accounts, and you will only be able to get into your account by entering this constantly-changing code.

Be careful, as this means you can also lose access to your account without access to your phone (such as if it is lost or stolen), but there are other ways you can backup your access by way of backup codes. You can print off a list of one-time codes to be used in the event you lose your phone.

Guides:

Conclusion

Using Two-Factor authentication will massively improve your personal or business security, and will help to thwart attackers that do manage to gain access to your accounts.

Some people do not like having to enter a code each time they need to login to a website. In that case, tools such as Krypton and Yubikey might be for you. If you are considering making a policy change within your business to mandate use of 2FA (which we strongly encourage), consult your IT group, security provider, and employees about which method will be least disruptive.

If you found this article helpful, please share this article to help your friends and colleagues! Two-Factor authentication is a highly underrated tool in our toolkit in protecting ourselves in the vicious landscape that is the internet. The more people that use it, the better.