My love/hate relationship with two-factor authentication
Ok, ok …I don’t HATE it, but it is annoying!
Every time I want to sign in, firstly I must remember my username and password (with at least 12 characters, numbers, capital letters and symbols it’s so strong, not even I can remember it!).
Then, what’s this?! Its asking for ANOTHER code. Now where did I put my phone arghhhh!
So, I think we can all agree it is not everyone’s favourite security tool
…but it IS a necessary one.
With weak or stolen user credentials being used in most digital application attacks, hackers are getting the upper hand. In order to tip the security scales back in our favour we need to utilize these invaluable (if slightly more time-consuming 😉) tools to gain advantage over the hackers.
What is two-factor authentication?
In layman’s terms, its basically just an extra layer of security on top of your regular password. If your password (the first layer) gets breached, then the hacker would need to have your phone to get past the two-factor authentication layer in order to access the account.
You might also see two-factor authentication referred to as multiple-step verification, two-step verification, MFA, 2FV, 2FA …you get the gist, but they are all basically the same thing.
2FA is a must-have for online banking, email, social media accounts (Facebook, Twitter, Instagram and LinkedIn), password managers (LastPass, MyGlue etc), communications apps (Skype, Teams), Cloud storage accounts (OneDrive, Dropbox, Sync) and online shopping …to name just a few.
There are a multitude of ways to receive a two-factor authentication code, in most cases these are; receiving a code by SMS or using a secure authenticator app. The latter being the most secure. The reason for this is if someone was to hijack your phone number (which unfortunately isn’t that hard to achieve), then they can redirect any two-factor notifications you receive to their own devices. Assuming they had already breached your password, this would gain them access to your account.
Two-factor authentication apps available
There are many two-factor authentication apps available on the market. I have listed four below.
This is one of the most common authenticator apps. It is simple to use, free and available for both Android and IOS.
How to setup Google Authenticator
- Install the Google Authenticator app.
- Then you wil need to enable two-factor authentication on whichever service you are using (Facebook, Dropbox etc).
- Once enabled, you will be asked to tie your authenticator app to the service. You can do this by taking a snapshot of the QR code the service gives you using the app (If using Android, you will need to download a QR code reading app to work with Google Authenticator).
- Authenticator will then start generating unique codes which you will be prompted to enter each time you log in to your service. You can add as many accounts as you like.
This one is best if you like to change your smart-phone often. This clever app stores your 2FA tokens (data that makes your 2FA codes work) in the cloud. So, when you get a new device, you can access your 2FA codes (if you’ve remembered your passcode that is!). You can access your 2FA tokens on any device (your phone, tablet, desktop, even your Apple Watch).
How to setup Authy
- Install the Authy app on your device.
- You will then be prompted to enter your mobile phone number and email address.
- Once entered, you’ll be sent a PIN, which you will need to enter to confirm you have access to the phone number.
- Next you will need to setup two-factor authentication on your service by pulling up the two-factor authentication setup page and tying your app to the service.
- You will be asked to scan a QR code. To do this, first go to the app and click plus icon to add a new account. Then click scan QR code. The account will be added to Authy.
Duo is a fantastic product for business, although you can use the 2FA app in a similar way to the others mentioned in this post, Duo allows you to secure more than just online services. With Duo you can use 2FA to secure a wide array of internal systems such as Active Directory (logging on to your PC), Remote Desktop and VPN access to your companies’ network. Duo offers a variety of authentication methods including SMS, phone call and its own easy to use app. At Dufeu we use Duo to secure our systems, it is a great easy to use product that businesses can rely on. Duo is free for up to 10 users but depending on your requirements you may need the paid versions, Duo Access or Duo Beyond.
How to setup Duo
- Setup your Duo account online and configure.
- Download the ‘Push’ app.
- Follow one of the easy to use guides to setup your chosen service for use with Duo.
- Upon attempting to login to your service a notification will be pushed to your Duo app. All you need to do is confirm the push notification by tapping the green tick button and you will be granted access to your service…no codes required!
LastPass uses a feature called one-tap push notifications to allow you to log in to top sites on your PC with one click (instead of entering a code). Its free and makes the 2FA process quick and easy. LastPass is available on both Android and IOS.
How to setup LastPass
- Download the LastPass app on your mobile device.
- Login to LastPass on your desktop/laptop and open your vault (if you don’t have an account you will need to set one up).
- Next, launch “Account Settings” from your vault and under “Multifactor Options”, edit LastPass Authenticator. Follow the prompts on your screen, view the QR code and scan it with the LastPass Authenticator app.
- Set your preferences and save your account changes.
- Now LastPass is enabled. When you next login to your service you can visit their two-factor authentication setup page and when prompted, generate a 6-digit, 60-second code from your LastPass app or approve the automated push notification or send yourself a code via SMS. Then, enter the code into the login prompt on the screen or approve the authentication request.
Does this mean I am completely safe from hackers?
No, as with any new technology, hackers love a challenge and will try to find a way around it. But for now, feel safe in the knowledge that if you have 2FA setup on your account, then anyone who gets past your password will be met by an additional barrier protecting your account. So, unless your phone has also been stolen by the hacker, your account is safe.
Having to unlock your phone and open an app every time you want to sign in is annoying. Whats worse though, is one day realising you can’t access any of your online accounts, your credit card has been maxed out and your email has been breached.
So, I guess if I really have to, I can point my phone at my face to unlock it, press the authenticator icon and write in the code it gives me.
…If I absolutely have to 😉
Creative Marketing Designer at Dufeu IT | Wife to a tech genius | Mother of two little princesses