2020-05-06

Set up two-factor authentication (2FA) - another nice COVID-19 project

Now that you've all wisely used some of your pandemic spare time to start using a password manager – as recommended by my previous post -- it's time to move to the next step: using two-factor authentication.  This isn't as much fun as watching Netflix, but with a bit of learning and one-time effort, you can help avoid some pain in the future by reducing the chance of being hacked.   

Instead of jumping to the punch line -- the action to take -- I'm going to first explain why what I’m suggesting is important.  This is a long story but I've added some summaries throughout to help make the material below more digestible.

First, a password manager

If you always use your password manager to log into online services and if all your passwords are strong and unique, then:
  • your passwords won't be guessed or brute-forced,
  • your passwords are much less likely to be phished, and
  • if your password is part of a credential spill (an attacker breaks into an online service and steals the file containing all their users' userids and passwords), it (your password) probably won't be cracked (whereas weak passwords definitely will be). (If that service stored passwords properly, yours won't be cracked, but if not it could be. You have little control over this.)
Congratulations!  You've protected yourself from the biggest attacks: phishing and (most) credential spills.  Both of these can lead to account takeover not only of the service in question but also of multiple other accounts by way of credential stuffing, where an attacker tries a known userid-password combination on a large list of online services.  Most people – not you, of course – reuse passwords like there's no tomorrow, making credential stuffing a very worthwhile attack 
 
TL;DR: Use a password manager on all your online services, as your first line of defense.

Why you also need two-factor authentication

But what it you don't use your password manager religiously (or not at all :) and are not disciplined with your passwords?  That is, you continue to:
  • use some weak passwords,
  • to reuse some passwords,
  • to not use your password manager for at least some accounts, and/or
  • to paste some passwords yourself into login forms
In that case you're still susceptible to phishing attacks and credential spills, so two-factor authentication (2FA) can provide you some additional protection.

Don't think, though, that by being very careful you can avoid the need for 2FA.  Even security professionals, who are vigilant with their practices and passwords, will generally use 2FA wherever it's offered by an online service.  They know that mistakes are easy to make and that defense in depth – having more than one security measure protecting something – is a very good idea.

(There is another type of attack: keyloggers, a form of malware (usually).  2FA might provide some protection against keyloggers, but in general, once a device of yours is compromised with malware, you're in big trouble no matter what you do. )

The bottom line is to always:
  • choose strong and unique passwords for your online services;
  • use a password manager to manage your account credentials (userids and passwords) and to autofill your credentials into login forms; and
  • use 2FA, on all services that support it.
TL;DR: Use 2FA on all your online services that support it, as your second line of defense.

But what is 2FA?

That was a long-winded "why" that hopefully has convinced you that you need to use 2FA.  So now on to the "what".  We'll start with the difference between "two-factor authentication" (2FA) and another term you may have heard of, "two-step authentication" (2SA) (or "two-step verification", 2SV).

To substantially simplify the story, the "first factor" of authentication is usually your password -- something you know – and the "second factor" of authentication (2FA) is either a physical object whose ownership you can prove – something you have – or some biometric aspect of your body – something you are.  If instead of a second factor -- a physical object or a biometric -- you use some other input into authentication, that's called a "second step" of authentication (2SA). 

A second factor is harder to compromise and so provides stronger protection than a second step, but the latter is often good enough and is always better than just using a password.  It's important to note that it's not always agreed on whether a particular thing is a second factor or a second step – so the difference is a continuum, not black and white. 
 
The rest of this post will use only the term 2FA, but in it I’m including the entire 2FA/2SA continuum.

By the way, you'll also see the term "multi-factor authentication" (MFA).  MFA is a more general term than 2FA in that all 2FA is MFA, but all MFA is not 2FA, because MFA encompasses more complex combinations of authentication inputs than 2FA does. This post deals with the simpler case of 2FA.

TL;DR: In general, use whatever is available on a particular online service, whether it's called 2FA, 2SA, 2SV, or MFA.  (I'll call it "2FA" below for simplicity.)
 

Flavors of 2FA

There is a wide range of types of 2FA used across online services.  Most services support only one type but some support more than one.  If you have a choice for a particular service, how do you know which to pick?
 
The types of 2FA can be ranked very roughly as follows, from most secure (#1) to least secure (#7):
  1. biometric (you likely won't see this for authenticating to online services since biometrics should not go to the cloud for security reasons)
  2. hardware token or security key (e.g., U2F, YubiKey)
  3. push verification (e.g., Google Prompt, Apple trusted device, Microsoft Authenticator)
  4. TOTP authenticator app (e.g., Google Authenticator, Authy)
  5. email verification
  6. SMS (text) verification
  7. phone call verification
If an online service gives you a choice, simply choose the type highest up the list.
The three types that you are most likely to be able to use are hardware token, push verification, and TOTP authenticator app.  Hardware tokens are very secure but not that convenient, because you need to always carry a physical token with you.  The push notification type is very secure but for consumers it is mostly limited to apps/services from companies like Google, Apple, and Microsoft.  The authenticator app type is much more widely available and is quite secure.  Authenticator apps typically generate 6-digit codes that change every 30 seconds, a scheme called Time-based One-Time Password (TOTP).

SMS and phone call 2FA are the least secure and should be avoided unless there is no other alternative.  Before you decide to use SMS or phone call 2FA using your mobile number, recognize that they won't work if you put a different SIM card in your phone when traveling.  (To be clear, SMS for 2FA is usually better than no 2FA so if a service offers only SMS for 2FA, you should probably use it.)

With TOTP 2FA you're not invincible!  Be aware that using an authenticator app provides some but not complete protection from phishing, because TOTP codes can be phished (as with passwords).  Your combined best and most convenient protection against a range of threats is using a password manager and an authenticator app.

TL;DR: For most services, use a TOTP authenticator app to add 2FA.
 

Which TOTP authenticator app?

There are, very roughly, a dozen different authenticator apps available on any OS platform, so how to choose one?  The great-grandparent is Google Authenticator, and most services, when they offer 2FA using an authenticator app, will use the term "Google Authenticator".  So most users will choose that app -- but you could choose any of the dozen apps available, because they all generate the same TOTP codes.

This list will help to explain the differences between the types of TOTP authenticator apps.  I've only shown the most popular ones.  (These "types" are my own cooked-up classification scheme.)
  • Type 1: Single-device, mobile only: Google Authenticator (see Note 1 below)
  • Type 2: Multi-device, mobile only: Microsoft Authenticator, LastPass Authenticator, 1Password Authenticator
  • Type 3: Multi-device, cross-platform: Authy
A Type 1 app is installed on a single mobile device (usually a phone), so if you lose that device or buy a new device, you need to go into every online service you had set up with it, to run through the 2FA recovery process to reconnect the service to a new device.  That's painful.

A Type 2 app is a great improvement in that the data is backed up to the cloud: so you can easily move your online services' use of 2FA over to another device.  But Type 2 apps are only available for mobile devices, which is an inconvenience.  

A Type 3 app backs up data to the cloud like Type 2 and is available on most all mobile and desktop platforms.  With a Type 3 app you can install it on all your devices and access your TOTP codes from any device at any time.

Authy (https://authy.com/) is the only Type 3 app available and is my suggestion for most people (outside of enterprises) and most online services.  You can learn more about Authy and how to use it in this excellent article:  https://thewirecutter.com/reviews/best-two-factor-authentication-app/

Alternatively, the other four apps are fine to use as long as your understand their limitations.  In particular, the 1Password Authenticator -- because it's integrated into the 1Password service (which is arguably a negative for security) -- can't be used to provide 2FA for the 1Password service itself; so you'd still need to use anther authenticator app, like Authy, for that.

TL;DR: Use Authy for services for which you want to use TOTP 2FA.
 

How to Authy

To use Authy, install the Authy app on all your devices (computers, phones, and tablets), set up a Backups Password using one Authy app, and enter that password into all the other Authy apps on all your devices, so that your Authy apps all sync with each other and your TOTP codes are available from all devices.  

Then, to add Authy 2FA for an online service, log into the online service on a computer and trigger the 2FA setup process.  This will display a QR code on your screen, and you'll use the Authy app on a phone or tablet to scan it.  The TOTP code for that online service will become immediately available in the Authy app on every one of your devices.

Authy is a zero-knowledge service, which means that all the 2FA data about your online services is stored in Authy's cloud service in such a way that Authy itself (or an attacker breaking into their cloud service) cannot access it – only you can – as long as you choose a strong Backups Password.  So, as you would for any password, choose a long random string and store it in your password manager.  

But – and this is important -- also store it somewhere else.  Or print it out and save the sheet somewhere secure.  Otherwise, you can paint yourself into a "recovery corner".  To wit: you'll use Authy 2FA to protect your password manager, so logging into your password manager is dependent on Authy; and you'll store the Authy Backups Password in your password manager, so reinstalling Authy is dependent on your password manager.  

Imagine that you then go traveling with only your phone and for some reason (loss, theft, failure, etc.) have to reinstall your apps (this is a type of recovery process).  Just knowing your password manager's master password won't be good enough (as it was before you added 2FA), and you'll be stuck in that recovery corner.  There are many ways to address this (I listed two above), but you need to pick one and implement it ahead of time.

A related issue: to create an Authy account you'll need to provide both an email address and a phone number; and for recovery purposes the phone number is the more important of the two.  Make sure that you have access to that phone number when you're traveling, in case you need to reinstall the Authy app.  If you normally get a local SIM card when you travel, make sure you take your home SIM card with you (if that's the phone numbers you used to set up your Authy account).  If you can, use a VoIP number for Authy instead of cell number, and you'll avoid this issue -- a Google Voice number is a great choice.

TL;DR: Install Authy on all your devices; carefully choose which phone number to use; and plan ahead for recovery.

Use it everywhere

Finally, what online services should you use Authy with?  Once you start checking your accounts for 2FA or not, you'll notice that it's generally your important online services that offer 2FA, and the unimportant ones tend not to.  (By the way, this website offers a great way to quickly check on any online service's level of support for 2FA:  https://twofactorauth.org/)

So set up 2FA on all your online services that support it, but start the migration with your most important services – usually your password manager and your email accounts (and not your bank accounts as you might imagine).  Any email account that you use as the ownership email address (or the security email address) for any of your online services is very important to protect.  That's because if an attacker can take over such an email account, they can usually take over (using the password recovery process) any online service that is tied to that email address.

TL;DR: Set up Authy first on your password manager and main email account(s), then move to the rest of your accounts

Congratulations

We're done! If you use a password manager and do so properly, if you set long random passwords on all (or at least your important) accounts, and if you set up 2FA (such as Authy) on all accounts that support it, you'll be resistant to many of today's online security threats, and way ahead of most people.

~~~~~

Good reading:

Note 1:  2020-05-07: Google has added an import/export feature to the Android and iOS versions of Google Authenticator.  It's not the same functionality as Authy, and it's not as powerful as Authy's multi-device feature.  See: https://security.googleblog.com/2020/05/introducing-portability-of-google.html