Now that you've all wisely used some of your pandemic spare
time to start using a password manager – as recommended by my previous post
-- it's time to move to the next step: using two-factor authentication. This isn't as much fun as watching Netflix,
but with a bit of learning and one-time effort, you can help avoid some pain in
the future by reducing the chance of being hacked.
Instead of jumping to the punch line -- the action to take -- I'm going to first explain why what I’m suggesting is important. This is a long story but I've added some summaries throughout to help make the
material below more digestible.
First, a password manager
If you always use your password manager to log into
online services and if all your passwords are strong and unique, then:
- your passwords won't be guessed or brute-forced,
- your passwords are much less likely to be phished, and
- if your password is part of a credential spill (an attacker breaks into an online service and steals the file containing all their users' userids and passwords), it (your password) probably won't be cracked (whereas weak passwords definitely will be). (If that service stored passwords properly, yours won't be cracked, but if not it could be. You have little control over this.)
You've protected yourself from the biggest attacks: phishing and (most) credential
spills. Both of these can lead to account
takeover not only of the service in question but also of multiple other accounts
by way of credential stuffing, where an attacker tries a known userid-password
combination on a large list of online services.
Most people – not you, of course – reuse passwords like there's no
tomorrow, making credential stuffing a very worthwhile attack
TL;DR: Use a password manager on all your online services, as your first line of defense.
Why you also need two-factor authentication
But what it you don't use your password manager
religiously (or not at all :) and are not disciplined with your passwords? That is, you continue to:
- use some weak passwords,
- to reuse some passwords,
- to not use your password manager for at least some accounts, and/or
- to paste some passwords yourself into login
In that case you're still susceptible to phishing attacks
and credential spills, so two-factor authentication (2FA) can provide you some additional
Don't think, though, that by being very careful you
can avoid the need for 2FA. Even security
professionals, who are vigilant with their practices and passwords, will
generally use 2FA wherever it's offered by an online service. They know that mistakes are easy to make and
that defense in depth – having more than one security measure protecting
something – is a very good idea.
(There is another type of attack: keyloggers, a form
of malware (usually). 2FA might provide
some protection against keyloggers, but in general, once a device of yours is
compromised with malware, you're in big trouble no matter what you do. )
The bottom line is to always:
- choose strong and unique passwords for your online services;
- use a password manager to manage your account credentials (userids and passwords) and to autofill your credentials into login forms; and
- use 2FA, on all services that support it.
TL;DR: Use 2FA on all your online services that
support it, as your second line of defense.
But what is 2FA?
That was a long-winded "why" that hopefully
has convinced you that you need to use 2FA.
So now on to the "what".
We'll start with the difference between "two-factor
authentication" (2FA) and another term you may have heard of,
"two-step authentication" (2SA) (or "two-step verification",
To substantially simplify the story, the "first
factor" of authentication is usually your password -- something you know
– and the "second factor" of authentication (2FA) is either a
physical object whose ownership you can prove – something you have
– or some
biometric aspect of your body – something you are
If instead of a second factor -- a physical
object or a biometric -- you use some other input into authentication, that's
called a "second step" of authentication (2SA).
A second factor is harder to compromise and so provides
stronger protection than a second step, but the latter is often good enough and
is always better than just using a password.
It's important to note that it's not always agreed on whether a
particular thing is a second factor or a second step – so the difference is a
continuum, not black and white.
The rest of this post will use only the term 2FA, but
in it I’m including the entire 2FA/2SA continuum.
the way, you'll also see the term "multi-factor authentication" (MFA). MFA is a more general term than 2FA in that
all 2FA is MFA, but all MFA is not 2FA, because MFA encompasses more complex
combinations of authentication inputs than 2FA does. This post deals with the simpler case of 2FA.
TL;DR: In general, use whatever is available on a
particular online service, whether it's called 2FA, 2SA, 2SV, or MFA. (I'll call it "2FA" below for
Flavors of 2FA
There is a wide range of types of 2FA used across
online services. Most services support
only one type but some support more than one.
If you have a choice for a particular service, how do you know which to pick?
The types of 2FA can be ranked very roughly as
follows, from most secure (#1) to least secure (#7):
- biometric (you likely won't see this for authenticating to online services since biometrics should not go to the cloud for security reasons)
- hardware token or security key (e.g., U2F, YubiKey)
- push verification (e.g., Google Prompt, Apple trusted device, Microsoft Authenticator)
- TOTP authenticator app (e.g., Google Authenticator, Authy)
- email verification
- SMS (text) verification
- phone call verification
If an online service gives you a choice, simply choose
the type highest up the list.
The three types that you are most likely to be able to
use are hardware token, push verification, and TOTP authenticator app. Hardware tokens are very secure but not that
convenient, because you need to always carry a physical token with you. The push notification type is very secure but
for consumers it is mostly limited to apps/services from companies like Google,
Apple, and Microsoft. The authenticator
app type is much more widely available and is quite secure. Authenticator apps typically generate 6-digit
codes that change every 30 seconds, a scheme called Time-based One-Time
SMS and phone call 2FA are the least secure and should
be avoided unless there is no other alternative. Before you decide to use SMS or phone call 2FA using your mobile number,
recognize that they won't work if you put a different SIM card in your phone
when traveling. (To be clear, SMS for 2FA is usually better than no 2FA so if a service offers only SMS for 2FA, you should probably use it.)
With TOTP 2FA you're not invincible! Be aware that using an authenticator app provides
some but not complete protection from phishing, because TOTP codes can be
phished (as with passwords). Your combined
best and most convenient protection against a range of threats is using a
password manager and an authenticator app.
TL;DR: For most services, use a TOTP authenticator
app to add 2FA.
Which TOTP authenticator app?
There are, very roughly, a dozen different authenticator
apps available on any OS platform, so how to choose one? The great-grandparent is Google Authenticator,
and most services, when they offer 2FA using an authenticator app, will use the
term "Google Authenticator".
So most users will choose that app -- but you could choose any of the
dozen apps available, because they all generate the same TOTP codes.
This list will help to explain the differences between
the types of TOTP authenticator apps. I've
only shown the most popular ones. (These "types" are my own cooked-up classification scheme.)
- Type 1: Single-device, mobile only: Google
Authenticator (see Note 1 below)
- Type 2: Multi-device, mobile only: Microsoft
Authenticator, LastPass Authenticator, 1Password Authenticator
- Type 3: Multi-device, cross-platform: Authy
A Type 1 app is installed on a single mobile device (usually
a phone), so if you lose that device or buy a new device, you need to go into
every online service you had set up with it, to run through the 2FA recovery
process to reconnect the service to a new device. That's painful.
A Type 2 app is a great improvement in that the data
is backed up to the cloud: so you can easily move your online services' use of
2FA over to another device. But Type 2
apps are only available for mobile devices, which is an inconvenience.
A Type 3 app backs up data to the cloud like Type 2 and
is available on most all mobile and desktop platforms. With a Type 3 app you can install it on all
your devices and access your TOTP codes from any device at any time.
Alternatively, the other four apps are fine to use as
long as your understand their limitations.
In particular, the 1Password Authenticator -- because it's integrated into
the 1Password service (which is arguably a negative for security) -- can't be used
to provide 2FA for the 1Password service itself; so you'd still need to use
anther authenticator app, like Authy, for that.
TL;DR: Use Authy for services for which you want to
use TOTP 2FA.
How to Authy
To use Authy, install the Authy app on all your
devices (computers, phones, and tablets), set up a Backups Password using one Authy
app, and enter that password into all the other Authy apps on all your devices,
so that your Authy apps all sync with each other and your TOTP codes are
available from all devices.
Then, to add Authy 2FA for an online service, log into
the online service on a computer and trigger the 2FA setup process. This will display a QR code on your screen,
and you'll use the Authy app on a phone or tablet to scan it. The TOTP code for that online service will
become immediately available in the Authy app on every one of your devices.
Authy is a zero-knowledge service, which means that all
the 2FA data about your online services is stored in Authy's cloud service in such
a way that Authy itself (or an attacker breaking into their cloud service) cannot
access it – only you can – as long as you choose a strong Backups Password. So, as you would for any password, choose a
long random string and store it in your password manager.
But – and this is important -- also store it somewhere
else. Or print it out and save the sheet
somewhere secure. Otherwise, you can
paint yourself into a "recovery corner". To wit: you'll use Authy 2FA to protect your
password manager, so logging into your password manager is dependent on Authy;
and you'll store the Authy Backups Password in your password manager, so reinstalling
Authy is dependent on your password manager.
Imagine that you then go traveling with only your
phone and for some reason (loss, theft, failure, etc.) have to reinstall your
apps (this is a type of recovery process).
Just knowing your password manager's master password won't be good enough
(as it was before you added 2FA), and you'll be stuck in that recovery corner. There are many ways to address this (I listed
two above), but you need to pick one and implement it ahead of time.
A related issue: to create an Authy account you'll need
to provide both an email address and a phone number; and for recovery purposes the
phone number is the more important of the two.
Make sure that you have access to that phone number when you're
traveling, in case you need to reinstall the Authy app. If you normally get a local SIM card when you
travel, make sure you take your home SIM card with you (if that's the phone
numbers you used to set up your Authy account).
If you can, use a VoIP number for Authy instead of cell number, and
you'll avoid this issue -- a Google Voice number is a great choice.
TL;DR: Install Authy on all your devices; carefully
choose which phone number to use; and plan ahead for recovery.
Use it everywhere
Finally, what online services should you use Authy with?
Once you start checking your accounts for 2FA
or not, you'll notice that it's generally your important online services that
offer 2FA, and the unimportant ones tend not to.
(By the way, this website offers a great way
to quickly check on any online service's level of support for 2FA: https://twofactorauth.org/
So set up 2FA on all your online services that support
it, but start the migration with your most important services – usually your
password manager and your email accounts (and not your bank accounts as you
might imagine). Any email account that
you use as the ownership email address (or the security email address) for any
of your online services is very important to protect. That's because if an attacker can take over such
an email account, they can usually take over (using the password recovery
process) any online service that is tied to that email address.
TL;DR: Set up Authy first on your password manager
and main email account(s), then move to the rest of your accounts
We're done! If you use a password manager and do so properly, if you set long random passwords on all (or at least your important) accounts, and if you set up 2FA (such as Authy) on all accounts that support it, you'll be resistant to many of today's online security threats, and way ahead of most people.
: 2020-05-07: Google has added an import/export feature to the Android and iOS versions of Google Authenticator. It's not the same functionality as Authy, and it's not as powerful as Authy's multi-device feature. See: https://security.googleblog.com/2020/05/introducing-portability-of-google.html