May 25, 2020
May 6, 2020
Now that you've all wisely used some of your pandemic spare time to start using a password manager – as recommended by my previous post -- it's time to move to the next step: using two-factor authentication. This isn't as much fun as watching Netflix, but with a bit of learning and one-time effort, you can help avoid some pain in the future by reducing the chance of being hacked.
Instead of jumping to the punch line -- the action to take -- I'm going to first explain why what I’m suggesting is important. This is a long story but I've added some summaries throughout to help make the
material below more digestible.
First, a password manager
- your passwords won't be guessed or brute-forced,
- your passwords are much less likely to be phished, and
- if your password is part of a credential spill (an attacker breaks into an online service and steals the file containing all their users' userids and passwords), it (your password) probably won't be cracked (whereas weak passwords definitely will be). (If that service stored passwords properly, yours won't be cracked, but if not it could be. You have little control over this.)
Why you also need two-factor authentication
- use some weak passwords,
- to reuse some passwords,
- to not use your password manager for at least some accounts, and/or
- to paste some passwords yourself into login forms
- choose strong and unique passwords for your online services;
- use a password manager to manage your account credentials (userids and passwords) and to autofill your credentials into login forms; and
- use 2FA, on all services that support it.
But what is 2FA?
Flavors of 2FA
- biometric (you likely won't see this for authenticating to online services since biometrics should not go to the cloud for security reasons)
- hardware token or security key (e.g., U2F, YubiKey)
- push verification (e.g., Google Prompt, Apple trusted device, Microsoft Authenticator)
- TOTP authenticator app (e.g., Google Authenticator, Authy)
- email verification
- SMS (text) verification
- phone call verification
Which TOTP authenticator app?
- Type 1: Single-device, mobile only: Google
Authenticator (see Note 1 below)
- Type 2: Multi-device, mobile only: Microsoft Authenticator, LastPass Authenticator, 1Password Authenticator
- Type 3: Multi-device, cross-platform: Authy