2-factor authentication. Protect yo neck (and logins)

A few days ago, I wrote about password managers and why they’re a good idea. You also need to use 2-factor authentication. 2-factor authentication (2FA) and passwords are both ways of trying to solve the problem of identifying yourself to a Web site or app. 2-factor says, “I am who I say I am, because of something I know (the password) and something I have (a second device the service knows.)

Here’s how it works:

  1. You enable 2-factor authentication for a service (twitter, gmail, iCloud, Amazon, to name a few)
  2. When you sign in, it asks for your username, password, and a code that it gives you to your device.
  3. The code is continually changing, every 30 seconds, so that it can’t be stored or guessed by a non-authorized user.

Sounds good, so far?

There are a few ways people deliver 2-factor authentication codes.

  • SMS
  • through an app
  • or in the case of Apple for your iCloud account, popping up notifications on other devices signed in with your iCloud account

SMS sucks. Don’t use it.

Imagine if someone called up your cell phone provider and said they were you. They said, “I’ve lost my phone, and I bought a replacement, can you put my number on it?”

Now they’ve got your phone number. If you use SMS as 2-factor authentication, they can use the “forgot password?” links and sign into your email. And then they can reset passwords on your twitter, amazon, and anything else that uses SMS as 2-factor authentication.

That would be bad. Don’t do it.

Apps: the right way

You have a range of choices. None of them are bad, some are better than others.

Google Authenticator

If you’re using a Google account, and maybe if you aren’t, using Google Authenticator is an easy, fast way to set up 2FA. It isn’t amazing, it doesn’t let you rename an item that you have 2FA enabled for, but it will get the job done.

It has support for automatic setup via QR code, support for multiple accounts, and support for time-based and counter-based code generation, so you can authenticate without a network connection.

It has support for automatic setup via QR code, support for multiple accounts, and support for time-based and counter-based code generation, so you can authenticate without a network connection.

One of the other downsides to it has been that if you set it up on your phone, and want to also have it set up on your iPad, it doesn’t synchronize between the devices. They want it to work with one device only. It also doesn’t work with any computer, so you really have to have the second device instead of the computer and its clipboard, which is inconvenient.

Authy

Authy does all the same things that Google Authenticator does, and more. Authy started to solve the multi-device problem: You should be able to authenticate using your phone, iPad, and computer, and have all those things work equally well, sharing the same numbers between them.

It has support for automatic setup via QR code, support for multiple accounts, and support for time-based and counter-based code generation, so you can authenticate without a network connection. I know I just wrote that for Google Authenticator, but come on, this is basic usability table stakes.

I was an early user of Authy, and for the first year, it was pretty terrible at this. Problems I used to experience were, setting up a new iPad meant that I had to re-set up all my 2FA accounts on my phone and my iPad at the same time – it originally did a bad job of this kind of syncing. Fortunately, it outlived those teething problems and is better today.

1Password

Remember 1Password from the discussion on password managers? 1Password makes it easy to scan the QR codes used to set up 2FA, and store the changing 2FA codes right alongside your passwords. This makes tons of sense: it’s storing your secure passwords, and should also be able to provide the 2FA codes.

It has support for automatic setup via QR code, support for multiple accounts, and support for time-based and counter-based code generation, so you can authenticate without a network connection. Again, table stakes.. but in a password manager!

With many sites and apps, when you auto-fill with 1Password, it recognizes the site has 2FA set up and will copy the 2FA code for you, so you can paste it after the user and password has been filled.

And, because it synchronizes across devices as a password manager, it also synchronizes the 2FA accounts across all your devices. This works really elegantly, and is one of the best paths to go.

Enpass

All that stuff I said about 1Password? Enpass does it, too! When I migrated from 1Password to Enpass for a year, Enpass was able to give me 2FA codes, and synchronize them across all my devices.

It has support for automatic setup via QR code, support for multiple accounts, and support for time-based and counter-based code generation, so you can authenticate without a network connection. Yup.

Enpass didn’t copy 2FA codes to the clipboard, but the fact that it stores and synchronizes them was pretty good. Basically, you won’t go wrong if you decide to use Enpass as a password manager and 2FA manager.

Apple iCloud 2FA

Apple takes a slightly different approach for iCloud accounts. Because they designed the operating systems on your iPhone, iPad and Mac, they pop up a 2FA code display on the phone with a map segment, so you know where the device attempting to log-in is located.

Apple doesn’t use QR codes or let you set up any other non-Apple service here. For that, they use iCloud Keychain as their password manager, and it doesn’t do third party 2FA.

And, they do this for all of their services – iCloud.com, services that touch that like email, calendars, and so on. It works very well – but you can’t rely on it only, unless all you ever use is their services. The minute you get a twitter or Amazon.com account, you need to use it in conjunction with one of the other authenticator tools.

Conclusion

Some people believe that putting 2FA inside a password manager is a bad idea – because it mixes the ‘something you know’ (a password) with ‘something you have’ (another device) – putting them on the same device.

These people aren’t wrong, but it is protected by your master password for your password manager, and while, yes, you could be tortured by someone to get your master password, you need to consider your level of risk and which kinds of threats you’re defending against. For simple hackers, rather than a directed governmental targeting, this is not the worst, and it does increase your convenience and security exponentially over not doing anything.

Use a 2FA app. Set up every service you use with 2FA if you can. Don’t wait. More and more services are using it every day, and you should, too. Authy has a guide on how to set it up that you can adapt to any of the apps you choose to use. twofactorauth.org has similar guides, and you should feel comfortable using theirs, too.

Leave a Reply

Your email address will not be published. Required fields are marked *