Passwords alone are hopelessly weak and fragile security measures.
Don’t be fooled by the myth that creating a stronger password will somehow make you safe online. You can create a password that is so long and complex it takes you five minutes to type, and it will do nothing to protect you if the service where you use that password stores it improperly and then has their server breached. It happens regularly.
And even with reasonable policies in place (complexity, changed regularly, not reused), people are still the weakest link in the security chain. Social engineering can convince even intelligent people to enter their credentials on a phishing site or give them up over the phone.
The solution is two-factor authentication, or 2FA. (Technically, it should be called multi-factor authentication, but 2FA is the most common form, so that’s the term I’ll use in this article.)
Turning on 2FA for a service changes the security requirements, forcing you to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device. Those two forms of authentication can come from any combination of at least two of the following elements:
- "Something you know," such as a password or PIN
- "Something you are," such as a fingerprint or other biometric ID
- "Something you have," such as a trusted smartphone that can generate or receive confirmation codes
For the most part, the two-factor authentication systems you see in place today use the first item, your password, and the last item, your smartphone. Smartphones have become ubiquitous, making them ideal security devices.
Your smartphone can assist with authentication by providing a unique code that you use along with your password to sign in. You can acquire that code in one of two ways: sent as a text message from the service, or generated by an app installed on your phone.
Here, for example, is what I saw moments ago when I tried to sign in to my Gmail account from a browser I had never used before.
If this sign-in request were from someone who had stolen my Google account credentials, he’d be stopped dead in his tracks. Without that code, he can’t continue the sign-in process.
I prefer the option to use an authenticator app rather than receiving codes via text message whenever possible, and so should you. The reason is simple logistics. There are times when you have access to the Internet (via a wired connection or Wi-Fi) but don’t have the ability to receive a text message, because your cellular signal is weak or nonexistent, or you’re using a different SIM while traveling.
The most popular 2FA app is Google Authenticator, which is available on iOS and Android. But if you use another platform, you can almost certainly find an alternative: Because the process for generating secure tokens is based on open standards, anyone can write an authenticator app that performs the same function.
It's worth noting that an authenticator app only requires a data connection during the initial setup process. After that, everything it does happens on your device. It basically acts as a sophisticated calculator that generates codes using the current time on your device and the shared secret. The online service uses the same secret and its own timestamp to generate codes that it compares against your entry. Both sides of the connection can adjust for timezones without problem, although your codes will fail if the time on your device is wrong.
To get started, you first need to install the app on the mobile device you want to use as your second authentication factor:
- If you carry an iOS device, you can get the Google Authenticator app from the App Store. (It’s optimized for use on iPhones but should work on an iPad as well.)
- On Android devices, install the Google Authenticator app from the Google Play Store.
- If you carry a Windows Phone, install the Microsoft Authenticator app, which uses the same standard to create authentication tokens that are identical to those from the Google app.
A BlackBerry app is also available.
After you install the app for your device, the next step is to set it up to work with each account where you have enabled 2FA. Not every service supports this form of 2FA, but many do: Google and Microsoft accounts are fully supported, as are Facebook and Dropbox. The LastPass password manager supports this standard as well. Twitter, at least at this point, works only with SMS-based login codes and doesn’t support the use of an authenticator app.
Amazon Web Services supports the use of TOTP tokens generated by Google Authenticator and other apps that use this standard. Microsoft Azure and Enterprise editions of Office 365 (Small Business edition is not supported) use a similar 2FA process but require a separate app, which is available for Windows Phone, Android, and IOS devices.
The setup process requires that you enter a shared secret using the mobile app. All three of the mobile apps I listed above support using a smartphone camera to take a picture of a QR code, which contains the unique code for your account. That’s much easier than entering a complex alphanumeric string manually.
Here, for example, is the QR code you'll see when setting up a Microsoft account.
Tap the plus sign to add a new account, choose the bar code option, aim the smartphone at the bar code on your computer screen, and wait for the app to fill in the necessary fields.
(And thanks to those who are worried that the bar code above might inadvertently compromise the account it's associated with. No, you can't use that bar code as a shared secret for the email account (which is a long-standing test account in the name of my late cat and isn't used for anything of value). After taking that screenshot I ran through setup for the authenticator app again, wiping out the original shared secret and replacing it with a completely new one.)
After you set up the account in the authenticator app, it begins generating codes based on the shared secret and the current time. To complete the setup process, enter the code from the authenticator app.
The next time you try to sign in with a new device or web browser, you’ll need to enter the current code, as displayed by the authenticator app.
If you use apps (including Outlook or Thunderbird) with an account that's protected by 2FA, your normal password won't work anymore. You'll need to generate special passwords for use exclusively with those apps. The security settings for your account should guide you through that process.
As part of the 2FA setup process, you should also generate one or more recovery codes, which you can print out and store in a safe place. In the event your smartphone is lost or damaged, you can use those codes to regain access to your account.
And if you replace your phone, one thing you should do as part of the setup process is to install the authenticator app on your new device and repeat the setup process for each account you used with your old phone. Setting up an account on a new authenticator app automatically disables codes generated by the old device.
Two-factor authentication will stop most casual attacks dead in their tracks. It's not perfect, though. A determined attacker who is directly targeting a specific account might be able to find ways to work around it, especially if he can hijack the email account used for recovery or redirect phone calls and SMS messages to a device he controls. But if someone is that determined to break into your account, you have a bigger problem.
Any questions? Leave them in the Talkback section.