Two Factor Authentication
What is two-factor authentication?
Two-factor authentication (2FA), sometimes called two-step verification or dual-factor authentication, is a security process in which users provide two different authentication items to verify themselves. This process protects both the user’s credentials and the user’s account.
An authentication Method is a form of verification that helps a security system decide if the person who tries to log in is who they claim to be.
One-Time Password (OTP) is a generic term for a unique password (token) you can use only once.
The most common authentication methods:
The least secure but much better than no Two-factor authentication.
- SMS Passcode is an OTP sent to your mobile device via an SMS message.
- An Email Link contains an OTP token or a link you must click to authenticate your application.
Good security, and it is convenient.
- A Time-Based One-Time Password (TOTP) is an OTP generated using time and a pre-shared secret key. Software OTP Token is a mobile app on your phone that generates OTPs.
Note: This is the protocol Authy and 2FAS apps use. - Push Notification is an authentication request sent to your phone that you approve or deny with a single tap—used by Microsoft, Google, and many others.
Highest security but with some cost and complexity.
- Hardware OTP Token is a physical token that generates and displays OTPs.
- U2F/WebAuthn Security Keys are hardware tokens you plug into your computer to confirm your identity. An example of this is the Yubikey hardware authentication device.
- The QR Code authentication method is a type of OTP in which the one-time password is a QR code you must scan using your phone.
- Fingerprint or Face ID for device or application unlock or request approval.
2FAS App: The world’s most secure, private, and simple 2FA app.
- Secure – Easily restore your tokens with backups. | Add app protection with your passcode or biometrics. | 2FAS is open source, transparent, and community-driven.
- Simple – 2FAS syncs across your mobile devices. | An interface designed for simplicity. | One-tap authentication with 2FAS Browser Extensions.
- Private – 2FAS works offline. | It doesn’t store any passwords or metadata. | 100% anonymous use, no account required.
Things I like about 2FAS
- It works on Android and iPhone with a browser extension.
- Being open-source software, security researchers can scrutinize the code.
- It supports exporting and importing your TOTP keys to create an online or full offline secure backup.
- It has a system by which you can maintain a cloud backing store, e2e encrypted, that will synchronize all the running instances.
- Browser extensions for Mac, Win, or Linux are available.
It’s easy to see why it is a good choice.
Reviews and Help
- The Best Authenticator Apps for 2023 by PCMag
- Best 2FA Apps: iPhone & Android by The Savvy Professor
- Google Drive 2FA Backup – how does it work? by 2FAS App
- 2FA Browser Extension – two-factor authentication 2x faster!
- Check if your 2FAS Auth App is working properly
Authy brings the future of strong authentication to the convenience of all your devices. The Authy app generates secure 2-step verification tokens on your device. It helps you protect your account from hackers and hijackers by adding layers of security. Authy makes it easy to use Two-Factor Authentication on your online accounts using your smartphone.
Why Authy is the best multi-factor authentication app:
- Setup: Easy to set up 2FA for any account.
- Secure: TouchID, Encrypted Backups, and more to keep you secure.
- Backup: Prevent account lockout when you lose your phone.
- Multiple Devices: Sync 2FA across mobile, tablet, and desktop.
- Authy 2FA Guides
- Authy Support
Download Auth For Android, iPhone, Mac, and Windows Computers
Are Third-Party Authenticator apps safe?
Underlying principles and protocols affect safety more than implementation. Authy requires your phone number, which is a minor privacy issue.
Hardware security keys, like those made by YubiKey, are the safest option. But have a cost and need more convenience. Most people always have their phones with them.
Note: As with all apps, be sure not to install an unknown, unrecommended authenticator, even if it looks good. Impersonators have shown up on app stores. Stick with the recommended ones from well-known companies.
Things to Know
- Secure Yourself by Using Two-Step Verification on These 16 Web Services
- What Happens If I Use Two-Factor Authentication and Lose My Phone? by Lifehacker.com
- How to Avoid Getting Locked Out When Using Two-Factor Authentication by How-To-Geek
- Secure Yourself by Using Two-Step Verification on These 16 Web Services
- Here’s Everywhere You Should Enable Two-Factor Authentication
- List of websites and whether or not they support 2FA.
- Secure Your Accounts and Passwords With a Hardware Token
- LifeHacker – How Do I Get Into My Email If I’ve Lost My Recovery Codes?
The Google Titan Security Key – Help prevent account takeovers from phishing attacks.
Google 2-step verification
- Google 2-step verification – How it works: – Google 2-step verification adds an extra layer of security to your Google Account by requiring you to have access to your phone and your username and password when you sign in. I use this feature; it requires more effort to set up but makes your Google account more secure than most banking sites. Glenn
- Install Google Authenticator – If you set up 2-step Verification, you can use the Google Authenticator app to receive codes even if you don’t have an Internet connection or mobile service.
Protect Your Accounts
Most digital accounts have settings that can help regain control of your account if it’s compromised. However, the recovery settings must be set up before your account is compromised.
These are the things you can do:
- Create a PIN for logins and password changes. A PIN is critical to set up with your cellular carrier, as it’s a great defense against SIM hijacking.
- Use a two-factor security method, for example, Google Authenticator or Authy, instead of SMS-based 2FA logins. For extra security, use a hardware token to protect your accounts.
- Create and record Backup codes (some accounts use the term Grid or Recovery code, etc.) They all are one-time use recovery access for your account. These codes should be printed and stored in a safe place (fireproof safe, safe deposit box, or at least off-site).
- Use security recovery questions that are not related to your personal life. I answer the security questions with random text from my password manager and store them in each site’s password manager notes area.
- Don’t use your smartphone phone number from your accounts, if possible. (If a phone number is needed, use a Google Voice number for your sensitive accounts.)
- Use long, randomized, and unique passwords for each account.
- Use a secure password manager.
- Don’t use services like (Google, Facebook, Twitter, etc.) to sign in to other services; if the attacker compromises one of the services, they can access more of your digital life.
You should also note account-related information identifying you as the rightful account holder.
- When you created the account
- Previous screen names on the account
- Physical addresses associated with the account
- Credit card numbers or bank statements that show you made purchases.
- Gaming accounts, such as character names create content for an online video game.
Making a list of all your critical accounts will make reacting to SIM swaps or ID theft easier, as you can quickly go through each service and change passwords, email addresses, etc. The list should be stored securely and as a printout rather than saving it on an online service.
Cautionary Tales
Please turn on two-factor authentication – Two-factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a phone.
The Tech Guy with Leo Laporte – Leo provides entertaining tech talk from computers, the internet, iPods, and cell phones to camcorders, digital cameras, gaming systems, and home theaters. The Tech Guy airs every weekend in over 170 cities in the US and Canada.
Here is an excerpt from the July 29th, 2017, Tech Guy program.
How can I get my Gmail account back from a hacker? Clinton from Alberta, Canada
Clinton’s Google account got hacked, and his password recovery email address was changed. Leo says that’s why Google and Leo recommend 2 Factor Authentication so that he would be contacted should a password change happen. He can also use a secondary email. Clinton can contact Google and perhaps get his account back by answering questions he would only know.
He should remember they are also vulnerable if he uses this as a recovery email for other sites. So he’ll have to get his email account back ASAP before more accounts are compromised.
Check out these articles on hacking for more guidance:
Kevin Roos: I dared two expert hackers to destroy my life. Here’s what happened.
Mat Honan: How I Resurrected My Digital Life After an Epic Hacking