Two Factor Authentication – Senior Tech Group

Two Factor Authentication

What is two-factor authentication?

Two-factor authentication (2FA), also known as two-step verification or dual-factor authentication, is a security process in which users provide two distinct authentication factors to verify their identity. This process protects both the user’s credentials and the user’s account.

An authentication Method is a form of verification that helps a security system determine whether the person trying to log in is who they claim to be.

One-Time Password (OTP) is a generic term for a unique password (token) that you use only once.

The most common authentication methods:

The least secure, but much better than no Two-factor authentication.

SMS Passcode is an OTP sent to your mobile device via SMS.
An Email Link contains an OTP token or a link you must click to authenticate your application.

Good security, using TOTP, and it is convenient.

A Time-Based One-Time Password (TOTP) is an OTP generated by a time-based algorithm using a pre-shared secret key. Software OTP Token is a mobile app on your phone that generates OTPs. Note: This is the protocol used by all TOTP applications.

Two-factor authentication applications generally use a technique called Time-based One-Time Password (TOTP). These phone applications are typically free to download from app stores to phones or tablets and include products such as Proton Authenticator, Bitwarden Authenticator, 2FAS, Ente Auth, Google Authenticator, Microsoft Authenticator, and more. These apps create verification codes that enhance security by providing a unique code every 30 seconds. The Bitwarden browser extension can also generate Time-based One-Time Password (TOTP) codes. It is my preferred method for generating TOTP codes.

The sequence for setting up a website to use an app for two-step verification generally flows like this:

The user accesses the website or application where they want to add two-step verification and initiates the setup process.
The website shares an authenticator key as a QR code. If the QR code does not work, the authenticator key is often made available as a long text string.
The user scans the QR code using their camera or enters the text string.
The account is saved within the authenticator app.
The website asks for the 6-digit one-time code to verify and finish the setup process.
The next time the user goes to log in to the website/application, it will prompt not only for username/password, but also for the time-based 6-digit code. That code will change every 30 seconds in both the authenticator app and the website/application login system, providing stronger security than merely receiving a verification code via email or text message.

Also offering good security

Push Notification is an authentication request sent to your phone that you approve or deny with a single tap—used by Microsoft, Google, and many others.

Highest security, but with some cost and complexity.

A hardware OTP Token is a physical token that generates and displays OTPs.
U2F/WebAuthn Security Keys are hardware tokens you plug into your computer to confirm your identity. An example of this is the YubiKey hardware authentication device.
The QR Code authentication method is a type of OTP in which the one-time password is a QR code you must scan using your phone.
Fingerprint or Face ID for device or application unlock or request approval.

Save two-factor authentication codes in BitWarden

To set up two-factor authentication (2FA) for a website using the Bitwarden browser extension Integrated Authenticator, follow these steps. It’s available with Bitwarden’s premium features.

Install the Extension: Ensure you have the Bitwarden browser extension installed from your browser’s marketplace or the Bitwarden Downloads page
Log in to the Extension: Click the Bitwarden icon in your browser’s toolbar, then log in with your email address and master password.
Use the Bitwarden extension, log in to the account you want to set up 2FA,
The website shares an authenticator key as a QR code or as a long text string. Copy this string.
Access 2FA Settings in the browser extension by choosing Edit, and navigate to the Authenticator key area. Paste the previously copied Authenticator text string into the Authenticator key area.
Choose Save to store the Authenticator key.
The website asks for the 6-digit one-time code to verify and finish the setup process.

The next time the user goes to log in to the website/application, it will prompt not only for username/password, but also for the time-based 6-digit code. That code will change every 30 seconds in both the authenticator app and the website/application login system, providing stronger security than merely receiving a verification code via email or text message.

To ensure you never lose access to your accounts, save recovery codes.

Website 2FA Recovery Codes: It’s also recommended to store any recovery codes provided by the service in a secure location, such as a Secure Note in Bitwarden, so you can access your accounts if you lose access to your 2FA device.
Critical Account Recovery Codes: i.e., your Password Manager and primary Email account.
- Use the Bitwarden Security Readiness Kit to record Critical Account details. Make a copy or download the document in fillable PDF format, then print it and keep it at a trusted relative’s house or in a bank safe deposit box. Or save the PDF file and store it in a safe place, such as an encrypted file, a thumb drive stored in a safe, or a bank safe deposit box.

By following these steps, you can securely manage and use your 2FA codes in Bitwarden.

Save critical TOTP codes in a separate application.

Proton Authenticator’s Two-factor authentication (2FA) adds a second layer of login security to your most critical accounts (i.e., your Password Manager and primary Email account). Start by getting a free Proton Mail account.

Get Proton Authenticator for mobile and desktop.

Proton Drive is a secure, end-to-end encrypted cloud storage service developed by the same team behind Proton Mail, Proton VPN, and Proton Authenticator
It prioritizes user privacy by encrypting files before they leave the user’s device, ensuring only the user and those they share with can access the content. Proton is based in Switzerland, which is known for its strong privacy laws.

Proton Authenticator Help and Information

Getting started with Proton Authenticator
How to sync 2FA codes across devices
The authenticator that puts you first
Proton Authenticator is available for download on Windows, Mac, Linux, iOS, and Android.

Other TOTP apps

2FAS App: The world’s most secure, private, and simple 2FA app.

Secure – Easily restore your tokens with backups. | Add app protection with your passcode or biometrics. | 2FAS is open source, transparent, and community-driven.
Simple – 2FAS syncs across your mobile devices. | An interface designed for simplicity. | One-tap authentication with 2FAS Browser Extensions.
Private – 2FAS works offline. | It doesn’t store any passwords or metadata. | 100% anonymous use, no account required.

Things I like about 2FAS

It works on Android and iPhone with a browser extension.
Being open-source software, the code can be scrutinized by security researchers.
It supports exporting and importing your TOTP keys to create an online or full offline secure backup.
It has a system that lets you maintain a cloud-backed, e2e-encrypted store that synchronizes all running instances.
Browser extensions are available for Mac, Windows, or Linux.

It’s easy to see why it is a good choice.

2FAS Help

Reviews and Help

The Best Authenticator Apps for 2023 by PCMag
Best 2FA Apps: iPhone & Android by The Savvy Professor
Google Drive 2FA Backup – how does it work? by 2FAS App
2FA Browser Extension – two-factor authentication 2x faster!
Check if your 2FAS Auth App is working properly

Authy App:

Authy brings the future of strong authentication to the convenience of all your devices. The Authy app generates secure 2-step verification tokens on your device. It helps you protect your account from hackers and hijackers by adding layers of security. Authy makes it easy to use Two-Factor Authentication on your online accounts using your smartphone.

Why Authy is the best multi-factor authentication app:

Setup: Easy to set up 2FA for any account.
Secure: TouchID, Encrypted Backups, and more to keep you secure.
Backup: Prevent account lockout when you lose your phone.
Multiple Devices: Sync 2FA across mobile, tablet, and desktop.
Authy 2FA Guides
Authy Support

Download Auth for Android, iPhone, Mac, and Windows Computers

Are Third-Party Authenticator apps safe?

Underlying principles and protocols affect safety more than implementation. Authy requires your phone number, which is a minor privacy issue.

Hardware security keys, like those made by YubiKey, are the safest option. But it has a cost and needs more convenience. Most people always have their phones with them.

Note: As with all apps, be sure not to install an unknown, unrecommended authenticator, even if it looks good. Impersonators have appeared in app stores. Stick with the recommended ones from well-known companies.

Things to Know

Secure Yourself by Using Two-Step Verification on These 16 Web Services
What Happens If I Use Two-Factor Authentication and Lose My Phone? by Lifehacker.com
How to Avoid Getting Locked Out When Using Two-Factor Authentication by How-To-Geek
Secure Yourself by Using Two-Step Verification on These 16 Web Services
Here’s Everywhere You Should Enable Two-Factor Authentication
List of websites and whether or not they support 2FA.
Secure Your Accounts and Passwords With a Hardware Token
LifeHacker – How Do I Get Into My Email If I’ve Lost My Recovery Codes?

The Google Titan Security Key – Helps prevent account takeovers from phishing attacks.

Google 2-step verification

Google 2-step verification – How it works: – Google 2-step verification adds an extra layer of security to your Google Account by requiring you to have access to your phone and your username and password when you sign in. I use this feature; it requires more effort to set up, but it makes your Google account more secure than most banking sites. Glenn
- Install Google Authenticator – If you set up 2-step Verification, you can use the Google Authenticator app to receive codes even if you don’t have an Internet connection or mobile service.

Protect Your Accounts

Most digital accounts have settings that can help you regain control if they’re compromised. However, the recovery settings must be set up before your account is compromised.

These are the things you can do:

Create a PIN for logins and password changes. A PIN is critical to set up with your cellular carrier, as it’s a great defense against SIM hijacking.
Use a two-factor authentication method, such as Google Authenticator or Authy, instead of SMS-based 2FA. For extra security, use a hardware token to protect your accounts.
Create and record Backup codes (some accounts use the terms Grid or Recovery code). They are all one-time-use recovery access codes for your account. These codes should be printed and stored in a safe place (a fireproof safe, a safe deposit box, or at least off-site).
Use security recovery questions that are not related to your personal life. I answer the security questions with random text from my password manager and store them in each site’s password manager notes area.
Don’t use your smartphone number from your accounts, if possible. (If a phone number is needed, use a Google Voice number for your sensitive accounts.)
Use long, randomized, and unique passwords for each account.
Use a secure password manager.
Don’t use services like (Google, Facebook, Twitter, etc.) to sign in to other services; if the attacker compromises one of the services, they can access more of your digital life.

You should also note account-related information identifying you as the rightful account holder.

When you created the account
Previous screen names on the account
Physical addresses associated with the account
Credit card numbers or bank statements that show you made purchases.
Gaming accounts, such as character names, create content for an online video game.

Making a list of all your critical accounts will make it easier to respond to SIM swaps or ID theft, as you can quickly review each service and change passwords, email addresses, and other settings. The list should be stored securely, as a printout, rather than saved on an online service.

Cautionary Tales

Please turn on two-factor authentication. Two-factor authentication means “something you know” (like a password) and “something you have” (like a phone).

The Tech Guy with Leo Laporte – Leo provides entertaining tech talk on computers, the internet, iPods and cell phones, camcorders, digital cameras, gaming systems, and home theaters. The Tech Guy airs every weekend in over 170 cities in the US and Canada.

Here is an excerpt from the July 29th, 2017, Tech Guy program.

How can I get my Gmail account back from a hacker? Clinton from Alberta, Canada

Clinton’s Google account got hacked, and his password recovery email address was changed. Leo says that’s why Google and Leo recommend 2 Factor Authentication so that he would be contacted if a password changes. He can also use a secondary email. Clinton can contact Google and perhaps get his account back by answering questions he would only know.

He should remember that they are also vulnerable if he uses this as a recovery email for other sites. So he’ll have to get his email account back ASAP before more accounts are compromised.

Check out these articles on hacking for more guidance:

Kevin Roos: I dared two expert hackers to destroy my life. Here’s what happened.
Mat Honan: How I Resurrected My Digital Life After an Epic Hacking